[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: "--askpass file" is evil!


  • Subject: Re: [Openvpn-users] Re: "--askpass file" is evil!
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Sat, 15 Jan 2005 00:03:29 +0100 (CET)

On Fri, 14 Jan 2005, Ray Lee wrote:

[Resurrecting a month-old thread, apologies]

James Yonan <jim <at> yonan.net> writes:
I'm happy with making --enable-password-save a ./configure option.  The
question then is how to default it.  I would tend to lean towards
disabling it by default, as that is generally in line with the basic
security principle of selecting by default the higher security option when
faced with a less-security/more-security choice.

Okay, so I'm deploying OpenVPN on a network of headless, embedded machines. What's the recommended way of doing this if the consensus is that --askpass [file] and --auth-user-pass [file] are Evil(tm)? Is the only recourse a constant reconfigure-recompile cycle against my distribution (Debian) reenabling the options, or is there another (approved) way to handle headless boxes that I'm missing?

If they are headless, who is going to type the passphrase? Why not just use a non-encrypted private key?


If you are going to put the the passphrase in a file, how do you plan to protect it better than the private key itself? If it isn't better secured, you gain nothing from encrypting the key in first place.

If you really must use a passphrase protected key, then yes you will have to recompile from source.

--
_____________________________________________________________
Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail


------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users