subject:"\[Openvpn\-devel\] \[PATCH 3\/3\] management\: Warn if TCP port is used without password"

Re: [Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password

2018-02-28 Thread Selva Nair

Hi,

On Wed, Feb 28, 2018 at 8:34 AM, Arne Schwabe  wrote:
> Am 28.02.18 um 14:19 schrieb David Sommerseth:
>> It is not recommended to use --management on a TCP port without also
>> adding a password authentication, as this can easily be abused by other
>> users or processes being able to connect to the managmement interface.
>>
>> Thus issue a warning that this configuration is strongly discouraged.
>>
>> Signed-off-by: David Sommerseth 
>> ---
>>  src/openvpn/options.c | 8 
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
>> index 41a42cf2..e0c0894b 100644
>> --- a/src/openvpn/options.c
>> +++ b/src/openvpn/options.c
>> @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options 
>> *options, const struct connec
>>  {
>>  msg(M_USAGE, "--management-client-(user|group) can only be used on 
>> unix domain sockets");
>>  }
>> +
>> +if (!(options->management_flags & MF_UNIX_SOCK)
>> +&& (!options->management_user_pass))
>> +{
>> +msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
>> +"passwords is STRONGLY discouraged and considered insecure");
>> +}
>> +
>>  #endif
>>
>>  /*
>>
>
> Does not break existing configs and warns about a real problem. Some
> users of management might scream that, users now get a warning none was
> before but honestely I don't care.
>
> @All does our own Windows UI use management and if yes does it set a
> random user/pw to connect to it?

Yes and yes.

Selva

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password

2018-02-28 Thread Arne Schwabe

Am 28.02.18 um 14:19 schrieb David Sommerseth:
> It is not recommended to use --management on a TCP port without also
> adding a password authentication, as this can easily be abused by other
> users or processes being able to connect to the managmement interface.
> 
> Thus issue a warning that this configuration is strongly discouraged.
> 
> Signed-off-by: David Sommerseth 
> ---
>  src/openvpn/options.c | 8 
>  1 file changed, 8 insertions(+)
> 
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 41a42cf2..e0c0894b 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options 
> *options, const struct connec
>  {
>  msg(M_USAGE, "--management-client-(user|group) can only be used on 
> unix domain sockets");
>  }
> +
> +if (!(options->management_flags & MF_UNIX_SOCK)
> +&& (!options->management_user_pass))
> +{
> +msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
> +"passwords is STRONGLY discouraged and considered insecure");
> +}
> +
>  #endif
>  
>  /*
> 

Does not break existing configs and warns about a real problem. Some
users of management might scream that, users now get a warning none was
before but honestely I don't care.

@All does our own Windows UI use management and if yes does it set a
random user/pw to connect to it?


Acked-By: Arne Schwabe 

Arne

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password

2018-02-28 Thread David Sommerseth

It is not recommended to use --management on a TCP port without also
adding a password authentication, as this can easily be abused by other
users or processes being able to connect to the managmement interface.

Thus issue a warning that this configuration is strongly discouraged.

Signed-off-by: David Sommerseth 
---
 src/openvpn/options.c | 8 
 1 file changed, 8 insertions(+)

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 41a42cf2..e0c0894b 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options 
*options, const struct connec
 {
 msg(M_USAGE, "--management-client-(user|group) can only be used on 
unix domain sockets");
 }
+
+if (!(options->management_flags & MF_UNIX_SOCK)
+&& (!options->management_user_pass))
+{
+msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
+"passwords is STRONGLY discouraged and considered insecure");
+}
+
 #endif
 
 /*
-- 
2.13.5


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password

Re: [Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password

[Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password

3 matches

Site Navigation

Mail list logo

Footer information