[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents

Mon Nov 26 16:19:05 CET 2012

I've googled for hours before writing the message and as usual, simply 
+increased my blood pressure with no solutions |-( Maybe you'll have 
+better luck.
+
+
+
+Richard
+
+
+On 11/26/2012 07:42 AM, Colin Guthrie wrote:
+> 'Twas brillig, and Richard Couture at 26/11/12 03:02 did gyre and gimble:
+>> I didn't mean to open a can of worms, but since it's open ...
+>
+> No worries. No worms here, just discussing some packaging related stuff.
+>
+>> with script-security 2 added to the client.conf, openvpn starts just
+>> fine with the command   systemctl restart openvpn at client.service
+>
+> Yes, the script-security stuff needs to go into the config. The sysvinit
+> script had a horrible hack to work around this not being there, but it's
+> really just that - a hack - and such black magic shouldn't be encouraged!
+>
+>> UNTIL
+>> you add the parameter  auth-user-pass to the client.conf
+>> Once that param is added, openvpn refuses to start via systemD
+>
+> (small point, it's systemd, not systemD :))
+>
+>> though it
+>> starts just fine via sys5
+>> [root at pwyr openvpn]# cd /etc/init.d/
+>> [root at pwyr init.d]# ./openvpn restart
+>> Shutting down openvpn:                                     [  OK  ]
+>> Starting openvpn: Enter Auth Username:rrc
+>> Enter Auth Password:
+>>                                                             [  OK  ]
+>> Since were looking at openvpn, hopefully we can figure out what this is
+>> all about as this param is EXTREMELY important to harden the security of
+>> openvpn
+>
+> Right, I guess this is simply because it's using a somewhat legacy
+> method of getting the password form the user...
+>
+> It should really hook into the system used by other components to get
+> passwords from the user, including during early boot. This is used e.g.
+> to get the password for encrypted disk partitions and works nicely with
+> Plymouth for eye-candy as well as via the command line and even via
+> desktop environments if appropriate.
+>
+> http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents
+>
+> I guess I'll need to look more into it to see what can be (or has been)
+> done to address this. It should be relatively simple in theory...
+>
+> If you are a hacker, feel free to look into this! (I've not googled or
+> anything so perhaps someone has done this already)
+>
+>
+> Col
+>
+
+-- 
+LinuxCabal Asociación Civil
+Ing. Richard Couture
+Novell CNE, ECNE, MCNE
+HP/Compaq ASE
+Tel.: (+52) (333) 145-2638
+Cel.: (+52) (044) 333 377-7505
+Cel.: (+52) (044) 333 377-7506
+Web: http://www.LinuxCabal.org
+E-Mail: rrc at linuxcabal.org
+Hosted en la nube Cloud Sigma - www.CloudSigma.com
+
+AVISO DE CONFIDENCIALIDAD: Este correo electrónico, incluyendo en su 
+caso, los archivos adjuntos al mismo, pueden contener información de 
+carácter confidencial y/o privilegiada, y se envían a la atención única 
+y exclusivamente de la persona y/o entidad a quien va dirigido. La 
+copia, revisión, uso, revelación y/o distribución de dicha información 
+confidencial sin la autorización por escrito de LinuxCabal está 
+prohibida. Si usted no es el destinatario a quien se dirige el presente 
+correo, favor de contactar al remitente respondiendo al presente correo 
+y eliminar el correo original incluyendo sus archivos, así como 
+cualesquiera copia del mismo. Mediante la recepción del presente correo 
+usted reconoce y acepta que en caso de incumplimiento de su parte y/o de 
+sus representantes a los términos antes mencionados, LinuxCabal tendrá 
+derecho a los daños y perjuicios que esto le cause.
+
+