[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!

  • Subject: Re: [Openvpn-users] "--askpass file" is evil!
  • From: "Erik Anderson" <erikba@xxxxxxxxxxxxxxxxx>
  • Date: Fri, 3 Dec 2004 09:32:17 -0800

----- Original Message ----- From: "Mathias Sundman" <mathias@xxxxxxxxxx>
To: "James Yonan" <jim@xxxxxxxxx>
Cc: <Openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Friday, December 03, 2004 7:36 AM
Subject: Re: [Openvpn-users] "--askpass file" is evil!

On Thu, 2 Dec 2004, James Yonan wrote:

How about a ./configure option such as --disable-password-save (and
corresponding #define flag for Windows build in config-win32.h)?

This flag would then disable the optional file argument to --askpass and

That could be a solution -- if we reverse it! Make the option disabled by default, so you have to use --enable-password-save on ./configure to get this feature. This would mean thay binary distributions, and typical builds by normal users will lack this feature.

Those few people who need to setup an un-attended system with a passphrase protected key can go through the trouble of building their own openvpn binary from source.

This will make it alot harder for normal users to circumvent security.

Another way of dealing with it is like we discussed to do it with the GUI, by having a PUSHable option that would cause the openvpn client to abort the connection if the passphrase had been read from a file. The very same option could then also be used by a GUI to control whether to allow a user to save the passphrase or not.

Umm, what would prevent someone from saying --enable-password-save --askpass on the command line? At least a disable-password-save cannot be overridden once it's been said somewhere...

____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users