It is not recommended to use --management on a TCP port without also
adding a password authentication, as this can easily be abused by other
users or processes being able to connect to the managmement interface.
Thus issue a warning that this configuration is strongly discouraged.
Signed-off-by: David Sommerseth <dav...@openvpn.net>
---
src/openvpn/options.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 41a42cf2..e0c0894b 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options
*options, const struct connec
{
msg(M_USAGE, "--management-client-(user|group) can only be used on
unix domain sockets");
}
+
+ if (!(options->management_flags & MF_UNIX_SOCK)
+ && (!options->management_user_pass))
+ {
+ msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
+ "passwords is STRONGLY discouraged and considered insecure");
+ }
+
#endif
/*
--
2.13.5
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
