Re: [Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password
Hi, On Wed, Feb 28, 2018 at 8:34 AM, Arne Schwabewrote: > Am 28.02.18 um 14:19 schrieb David Sommerseth: >> It is not recommended to use --management on a TCP port without also >> adding a password authentication, as this can easily be abused by other >> users or processes being able to connect to the managmement interface. >> >> Thus issue a warning that this configuration is strongly discouraged. >> >> Signed-off-by: David Sommerseth >> --- >> src/openvpn/options.c | 8 >> 1 file changed, 8 insertions(+) >> >> diff --git a/src/openvpn/options.c b/src/openvpn/options.c >> index 41a42cf2..e0c0894b 100644 >> --- a/src/openvpn/options.c >> +++ b/src/openvpn/options.c >> @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options >> *options, const struct connec >> { >> msg(M_USAGE, "--management-client-(user|group) can only be used on >> unix domain sockets"); >> } >> + >> +if (!(options->management_flags & MF_UNIX_SOCK) >> +&& (!options->management_user_pass)) >> +{ >> +msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " >> +"passwords is STRONGLY discouraged and considered insecure"); >> +} >> + >> #endif >> >> /* >> > > Does not break existing configs and warns about a real problem. Some > users of management might scream that, users now get a warning none was > before but honestely I don't care. > > @All does our own Windows UI use management and if yes does it set a > random user/pw to connect to it? Yes and yes. Selva -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password
Am 28.02.18 um 14:19 schrieb David Sommerseth: > It is not recommended to use --management on a TCP port without also > adding a password authentication, as this can easily be abused by other > users or processes being able to connect to the managmement interface. > > Thus issue a warning that this configuration is strongly discouraged. > > Signed-off-by: David Sommerseth> --- > src/openvpn/options.c | 8 > 1 file changed, 8 insertions(+) > > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 41a42cf2..e0c0894b 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options > *options, const struct connec > { > msg(M_USAGE, "--management-client-(user|group) can only be used on > unix domain sockets"); > } > + > +if (!(options->management_flags & MF_UNIX_SOCK) > +&& (!options->management_user_pass)) > +{ > +msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " > +"passwords is STRONGLY discouraged and considered insecure"); > +} > + > #endif > > /* > Does not break existing configs and warns about a real problem. Some users of management might scream that, users now get a warning none was before but honestely I don't care. @All does our own Windows UI use management and if yes does it set a random user/pw to connect to it? Acked-By: Arne Schwabe Arne -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password
It is not recommended to use --management on a TCP port without also adding a password authentication, as this can easily be abused by other users or processes being able to connect to the managmement interface. Thus issue a warning that this configuration is strongly discouraged. Signed-off-by: David Sommerseth--- src/openvpn/options.c | 8 1 file changed, 8 insertions(+) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 41a42cf2..e0c0894b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); } + +if (!(options->management_flags & MF_UNIX_SOCK) +&& (!options->management_user_pass)) +{ +msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " +"passwords is STRONGLY discouraged and considered insecure"); +} + #endif /* -- 2.13.5 -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel