[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!

  • Subject: Re: [Openvpn-users] "--askpass file" is evil!
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Fri, 3 Dec 2004 14:18:13 -0700 (MST)

On Fri, 3 Dec 2004, Mathias Sundman wrote:

> On Fri, 3 Dec 2004, Erik Anderson wrote:
> >> On Thu, 2 Dec 2004, James Yonan wrote:
> >> 
> >>> How about a ./configure option such as --disable-password-save (and
> >>> corresponding #define flag for Windows build in config-win32.h)?
> >>> 
> >>> This flag would then disable the optional file argument to --askpass and
> >>> --auth-user-pass.
> >> 
> >> That could be a solution -- if we reverse it! Make the option disabled by 
> >> default, so you have to use --enable-password-save on ./configure to get 
> >> this feature. This would mean thay binary distributions, and typical builds 
> >> by normal users will lack this feature.
> >> 
> >> Those few people who need to setup an un-attended system with a passphrase 
> >> protected key can go through the trouble of building their own openvpn 
> >> binary from source.
> >> 
> >> This will make it alot harder for normal users to circumvent security.
> >> 
> >> Another way of dealing with it is like we discussed to do it with the GUI, 
> >> by having a PUSHable option that would cause the openvpn client to abort 
> >> the connection if the passphrase had been read from a file. The very same 
> >> option could then also be used by a GUI to control whether to allow a user 
> >> to save the passphrase or not.
> >
> > Umm, what would prevent someone from saying --enable-password-save --askpass 
> > on the command line?  At least a disable-password-save cannot be overridden 
> > once it's been said somewhere...
> The --enable-password-save option I proposed was of cource a ./configure 
> option controlling the build, not a cmd-line option to the openvpn binary.
> If built without password-save support, --askpass wouldn't work as 
> cmd-line option.
> If using a pushable option, that should of cource not be accepted as a 
> cmd-line option on the client overriding the pushed option.

I'm happy with making --enable-password-save a ./configure option.  The
question then is how to default it.  I would tend to lean towards
disabling it by default, as that is generally in line with the basic
security principle of selecting by default the higher security option when
faced with a less-security/more-security choice.


Openvpn-users mailing list