[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: "--askpass file" is evil!

  • Subject: Re: [Openvpn-users] Re: "--askpass file" is evil!
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Fri, 14 Jan 2005 15:51:11 -0500

On Fri, 14 Jan 2005 18:40:59 +0000 (UTC), Ray Lee
<ray-openvpn@xxxxxxxxxxxxx> wrote:
> [Resurrecting a month-old thread, apologies]
> James Yonan <jim <at> yonan.net> writes:
> > I'm happy with making --enable-password-save a ./configure option.  The
> > question then is how to default it.  I would tend to lean towards
> > disabling it by default, as that is generally in line with the basic
> > security principle of selecting by default the higher security option when
> > faced with a less-security/more-security choice.
> Okay, so I'm deploying OpenVPN on a network of headless, embedded machines.
> What's the recommended way of doing this if the consensus is that --askpass
> [file] and --auth-user-pass [file] are Evil(tm)? Is the only recourse a constant
> reconfigure-recompile cycle against my distribution (Debian) reenabling the
> options, or is there another (approved) way to handle headless boxes that I'm
> missing?
>  ~ ~
> Thanks for all your hard work, everyone. OpenVPN is working quite well for us.

That's what the node (?) option is for with the certificate.  The
certificate is generated w/o a password since the node is secure the
password is not needed.

Leonard Isham, CISSP 
Ostendo non ostento.

The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list