|
|
On Thu, 4 Nov 2004, Ralph Passgang wrote: > Am Donnerstag 04 November 2004 08:12 schrieb Mathias Sundman: > > (I CC the list for more comments...) > > > > On Thu, 4 Nov 2004, Eric E. Bowles wrote: > [...] > > > I have what I think is a relatively simple feature request: when using > > > 'auth-user-pass' on the client side, it would be nice if the username and > > > password could be optionally saved after typing it in once, just like in > > > the standard Microsoft VPN client. There might also be another menu > > > option to delete or edit the username and password. > > > > > > Would this be a useful addition? > > > > Yes, it would probably be a useful feature for some, > > > > but, it's also a big security breach to save passwords. I think some > > people have moved to OpenVPN for this very reason, to protect agains users > > saving their passwords, like they could with the MS VPN client... > > > > So, I'd like to get more input from the list whether you want such a > > feature or not? > > I don't like that idea, because it is a security breach. > > This feature would be maybe okay if the user can't remove the password from > the cert (keyfile), but because that is a basic openssl feature it is too > dangerous to store the username/password anywhere. > > Think of the following situation: > A road-warrior with notebook removes the password from the cert and additional > stores the username/password anywhere (within the gui). If his notebook get > stolen then a attacker only needs to hack the windows account of the user > (which has also admin rights, hacking a windows account is not difficult at > all) he can establish a openvpn connection and attack the office lan. There > will be no password check at all. > > Or think of the situation where somebody doesn't locked his workstation, even > when is away from his computer for hours... no password, no security at all. > > It would make the new username/password feature more or less useless. > > The only way to solve this (in my humble opinion): > If auth-user-pass is enabled, then the client sends the username and password > to server. Maybe it's possible not to send only the auth info, but also the > information if the user typed in his password or if used the "stored password > feature". So every administrator can decide if the server should accept > stored passwords or not... > > But maybe is better to just let it the way it is. I also don't like the > feature to use a plaintext password file in addition to the --auth-user-pass > option. I think even in this situation the server should know that the client > used a username/password from a file, so that the admin can decide to accept > such connections or not. I don't like if the user can decide such things... > > Mathias & James: Any comments on my idea to solve this issue? There's no secure way for the server to know whether or not the password came from a file or from the keyboard. Even if you strip out the code on the OpenVPN client which allows passwords to be read from a file, there is no secure way for the server to know how the client executable was built. James ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |