|
|
Am Donnerstag 04 November 2004 08:12 schrieb Mathias Sundman: > (I CC the list for more comments...) > > On Thu, 4 Nov 2004, Eric E. Bowles wrote: [...] > > I have what I think is a relatively simple feature request: when using > > 'auth-user-pass' on the client side, it would be nice if the username and > > password could be optionally saved after typing it in once, just like in > > the standard Microsoft VPN client. There might also be another menu > > option to delete or edit the username and password. > > > > Would this be a useful addition? > > Yes, it would probably be a useful feature for some, > > but, it's also a big security breach to save passwords. I think some > people have moved to OpenVPN for this very reason, to protect agains users > saving their passwords, like they could with the MS VPN client... > > So, I'd like to get more input from the list whether you want such a > feature or not? I don't like that idea, because it is a security breach. This feature would be maybe okay if the user can't remove the password from the cert (keyfile), but because that is a basic openssl feature it is too dangerous to store the username/password anywhere. Think of the following situation: A road-warrior with notebook removes the password from the cert and additional stores the username/password anywhere (within the gui). If his notebook get stolen then a attacker only needs to hack the windows account of the user (which has also admin rights, hacking a windows account is not difficult at all) he can establish a openvpn connection and attack the office lan. There will be no password check at all. Or think of the situation where somebody doesn't locked his workstation, even when is away from his computer for hours... no password, no security at all. It would make the new username/password feature more or less useless. The only way to solve this (in my humble opinion): If auth-user-pass is enabled, then the client sends the username and password to server. Maybe it's possible not to send only the auth info, but also the information if the user typed in his password or if used the "stored password feature". So every administrator can decide if the server should accept stored passwords or not... But maybe is better to just let it the way it is. I also don't like the feature to use a plaintext password file in addition to the --auth-user-pass option. I think even in this situation the server should know that the client used a username/password from a file, so that the admin can decide to accept such connections or not. I don't like if the user can decide such things... Mathias & James: Any comments on my idea to solve this issue? --Ralph ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |