'Twas brillig, and Richard Couture at 26/11/12 03:02 did gyre and gimble: > I didn't mean to open a can of worms, but since it's open ...
No worries. No worms here, just discussing some packaging related stuff. > with script-security 2 added to the client.conf, openvpn starts just > fine with the command systemctl restart openvpn@client.service Yes, the script-security stuff needs to go into the config. The sysvinit script had a horrible hack to work around this not being there, but it's really just that - a hack - and such black magic shouldn't be encouraged! > UNTIL > you add the parameter auth-user-pass to the client.conf > Once that param is added, openvpn refuses to start via systemD (small point, it's systemd, not systemD :)) > though it > starts just fine via sys5 > [root@pwyr openvpn]# cd /etc/init.d/ > [root@pwyr init.d]# ./openvpn restart > Shutting down openvpn: [ OK ] > Starting openvpn: Enter Auth Username:rrc > Enter Auth Password: > [ OK ] > Since were looking at openvpn, hopefully we can figure out what this is > all about as this param is EXTREMELY important to harden the security of > openvpn Right, I guess this is simply because it's using a somewhat legacy method of getting the password form the user... It should really hook into the system used by other components to get passwords from the user, including during early boot. This is used e.g. to get the password for encrypted disk partitions and works nicely with Plymouth for eye-candy as well as via the command line and even via desktop environments if appropriate. http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents I guess I'll need to look more into it to see what can be (or has been) done to address this. It should be relatively simple in theory... If you are a hacker, feel free to look into this! (I've not googled or anything so perhaps someone has done this already) Col -- Colin Guthrie colin(at)mageia.org http://colin.guthr.ie/ Day Job: Tribalogic Limited http://www.tribalogic.net/ Open Source: Mageia Contributor http://www.mageia.org/ PulseAudio Hacker http://www.pulseaudio.org/ Trac Hacker http://trac.edgewall.org/