On Fri, 14 Jan 2005, Ray Lee wrote:
[Resurrecting a month-old thread, apologies]
James Yonan <jim <at> yonan.net> writes:
I'm happy with making --enable-password-save a ./configure option. The
question then is how to default it. I would tend to lean towards
disabling it by default, as that is generally in line with the basic
security principle of selecting by default the higher security option when
faced with a less-security/more-security choice.
Okay, so I'm deploying OpenVPN on a network of headless, embedded machines.
What's the recommended way of doing this if the consensus is that --askpass
[file] and --auth-user-pass [file] are Evil(tm)? Is the only recourse a constant
reconfigure-recompile cycle against my distribution (Debian) reenabling the
options, or is there another (approved) way to handle headless boxes that I'm
If they are headless, who is going to type the passphrase? Why not just
use a non-encrypted private key?
If you are going to put the the passphrase in a file, how do you plan to
protect it better than the private key itself? If it isn't better secured,
you gain nothing from encrypting the key in first place.
If you really must use a passphrase protected key, then yes you will have
to recompile from source.
Mathias Sundman (^) ASCII Ribbon Campaign
OpenVPN GUI for Windows X NO HTML/RTF in e-mail
http://www.nilings.se/openvpn / \ NO Word docs in e-mail
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
Openvpn-users mailing list