[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents

Mon Nov 26 16:19:05 CET 2012

I've googled for hours before writing the message and as usual, simply 
increased my blood pressure with no solutions |-( Maybe you'll have 
better luck.

Richard

On 11/26/2012 07:42 AM, Colin Guthrie wrote:
> 'Twas brillig, and Richard Couture at 26/11/12 03:02 did gyre and gimble:
>> I didn't mean to open a can of worms, but since it's open ...
>
> No worries. No worms here, just discussing some packaging related stuff.
>
>> with script-security 2 added to the client.conf, openvpn starts just
>> fine with the command   systemctl restart openvpn at client.service
>
> Yes, the script-security stuff needs to go into the config. The sysvinit
> script had a horrible hack to work around this not being there, but it's
> really just that - a hack - and such black magic shouldn't be encouraged!
>
>> UNTIL
>> you add the parameter  auth-user-pass to the client.conf
>> Once that param is added, openvpn refuses to start via systemD
>
> (small point, it's systemd, not systemD :))
>
>> though it
>> starts just fine via sys5
>> [root at pwyr openvpn]# cd /etc/init.d/
>> [root at pwyr init.d]# ./openvpn restart
>> Shutting down openvpn:                                     [  OK  ]
>> Starting openvpn: Enter Auth Username:rrc
>> Enter Auth Password:
>>                                                             [  OK  ]
>> Since were looking at openvpn, hopefully we can figure out what this is
>> all about as this param is EXTREMELY important to harden the security of
>> openvpn
>
> Right, I guess this is simply because it's using a somewhat legacy
> method of getting the password form the user...
>
> It should really hook into the system used by other components to get
> passwords from the user, including during early boot. This is used e.g.
> to get the password for encrypted disk partitions and works nicely with
> Plymouth for eye-candy as well as via the command line and even via
> desktop environments if appropriate.
>
> http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents
>
> I guess I'll need to look more into it to see what can be (or has been)
> done to address this. It should be relatively simple in theory...
>
> If you are a hacker, feel free to look into this! (I've not googled or
> anything so perhaps someone has done this already)
>
>
> Col
>

-- 
LinuxCabal Asociación Civil
Ing. Richard Couture
Novell CNE, ECNE, MCNE
HP/Compaq ASE
Tel.: (+52) (333) 145-2638
Cel.: (+52) (044) 333 377-7505
Cel.: (+52) (044) 333 377-7506
Web: http://www.LinuxCabal.org
E-Mail: rrc at linuxcabal.org
Hosted en la nube Cloud Sigma - www.CloudSigma.com

AVISO DE CONFIDENCIALIDAD: Este correo electrónico, incluyendo en su 
caso, los archivos adjuntos al mismo, pueden contener información de 
carácter confidencial y/o privilegiada, y se envían a la atención única 
y exclusivamente de la persona y/o entidad a quien va dirigido. La 
copia, revisión, uso, revelación y/o distribución de dicha información 
confidencial sin la autorización por escrito de LinuxCabal está 
prohibida. Si usted no es el destinatario a quien se dirige el presente 
correo, favor de contactar al remitente respondiendo al presente correo 
y eliminar el correo original incluyendo sus archivos, así como 
cualesquiera copia del mismo. Mediante la recepción del presente correo 
usted reconoce y acepta que en caso de incumplimiento de su parte y/o de 
sus representantes a los términos antes mencionados, LinuxCabal tendrá 
derecho a los daños y perjuicios que esto le cause.