[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir)

Colin Guthrie mageia at colin.guthr.ie
Mon Nov 26 14:42:05 CET 2012


'Twas brillig, and Richard Couture at 26/11/12 03:02 did gyre and gimble:
> I didn't mean to open a can of worms, but since it's open ...

No worries. No worms here, just discussing some packaging related stuff.

> with script-security 2 added to the client.conf, openvpn starts just
> fine with the command   systemctl restart openvpn at client.service

Yes, the script-security stuff needs to go into the config. The sysvinit
script had a horrible hack to work around this not being there, but it's
really just that - a hack - and such black magic shouldn't be encouraged!

> UNTIL
> you add the parameter  auth-user-pass to the client.conf
> Once that param is added, openvpn refuses to start via systemD 

(small point, it's systemd, not systemD :))

> though it
> starts just fine via sys5
> [root at pwyr openvpn]# cd /etc/init.d/
> [root at pwyr init.d]# ./openvpn restart
> Shutting down openvpn:                                     [  OK  ]
> Starting openvpn: Enter Auth Username:rrc
> Enter Auth Password:
>                                                            [  OK  ]
> Since were looking at openvpn, hopefully we can figure out what this is
> all about as this param is EXTREMELY important to harden the security of
> openvpn

Right, I guess this is simply because it's using a somewhat legacy
method of getting the password form the user...

It should really hook into the system used by other components to get
passwords from the user, including during early boot. This is used e.g.
to get the password for encrypted disk partitions and works nicely with
Plymouth for eye-candy as well as via the command line and even via
desktop environments if appropriate.

http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents

I guess I'll need to look more into it to see what can be (or has been)
done to address this. It should be relatively simple in theory...

If you are a hacker, feel free to look into this! (I've not googled or
anything so perhaps someone has done this already)


Col

-- 

Colin Guthrie
colin(at)mageia.org
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/


More information about the Mageia-dev mailing list