[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] "--askpass file" is evil!


  • Subject: Re: [Openvpn-users] "--askpass file" is evil!
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Fri, 3 Dec 2004 22:47:58 +0100 (CET)

On Fri, 3 Dec 2004, James Yonan wrote:

On Fri, 3 Dec 2004, Mathias Sundman wrote:

On Fri, 3 Dec 2004, Erik Anderson wrote:

On Thu, 2 Dec 2004, James Yonan wrote:

How about a ./configure option such as --disable-password-save (and
corresponding #define flag for Windows build in config-win32.h)?

This flag would then disable the optional file argument to --askpass and
--auth-user-pass.

That could be a solution -- if we reverse it! Make the option disabled by default, so you have to use --enable-password-save on ./configure to get this feature. This would mean thay binary distributions, and typical builds by normal users will lack this feature.

Those few people who need to setup an un-attended system with a passphrase
protected key can go through the trouble of building their own openvpn
binary from source.

This will make it alot harder for normal users to circumvent security.

Another way of dealing with it is like we discussed to do it with the GUI,
by having a PUSHable option that would cause the openvpn client to abort
the connection if the passphrase had been read from a file. The very same
option could then also be used by a GUI to control whether to allow a user
to save the passphrase or not.

Umm, what would prevent someone from saying --enable-password-save --askpass on the command line? At least a disable-password-save cannot be overridden once it's been said somewhere...

The --enable-password-save option I proposed was of cource a ./configure option controlling the build, not a cmd-line option to the openvpn binary.

If built without password-save support, --askpass wouldn't work as
cmd-line option.

If using a pushable option, that should of cource not be accepted as a
cmd-line option on the client overriding the pushed option.

I'm happy with making --enable-password-save a ./configure option. The question then is how to default it. I would tend to lean towards disabling it by default, as that is generally in line with the basic security principle of selecting by default the higher security option when faced with a less-security/more-security choice.

Yes, that what exactly my opinion too.

I think that should make just about everyone happy. Normal users using a binary distribution of OpenVPN will not have this option available, but advanced users that have the need for it can recompile openvpn with this option enabled.

--
_____________________________________________________________
Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail