[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: "--askpass file" is evil!

  • Subject: Re: [Openvpn-users] Re: "--askpass file" is evil!
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Fri, 14 Jan 2005 19:19:25 -0700 (MST)

On Fri, 14 Jan 2005, Ray Lee wrote:

> [Resurrecting a month-old thread, apologies]
> James Yonan <jim <at> yonan.net> writes:
> > I'm happy with making --enable-password-save a ./configure option.  The
> > question then is how to default it.  I would tend to lean towards
> > disabling it by default, as that is generally in line with the basic
> > security principle of selecting by default the higher security option when
> > faced with a less-security/more-security choice.
> Okay, so I'm deploying OpenVPN on a network of headless, embedded machines.
> What's the recommended way of doing this if the consensus is that --askpass
> [file] and --auth-user-pass [file] are Evil(tm)? Is the only recourse a constant
> reconfigure-recompile cycle against my distribution (Debian) reenabling the
> options, or is there another (approved) way to handle headless boxes that I'm
> missing?

As other posters have mentioned, OpenVPN doesn't require a 
password-protected key.

However if you really don't want to have cleartext keys lying around on a
headless box, another method would be to encrypt the key and then supply
the password remotely using the management interface.  You'd need a 
secondary secure channel to do that of course such as ssh or a separate 
OpenVPN instance.


The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list