diff options
| author | Nicolas Vigier <boklm@mageia.org> | 2013-04-14 13:46:12 +0000 |
|---|---|---|
| committer | Nicolas Vigier <boklm@mageia.org> | 2013-04-14 13:46:12 +0000 |
| commit | 1be510f9529cb082f802408b472a77d074b394c0 (patch) | |
| tree | b175f9d5fcb107576dabc768e7bd04d4a3e491a0 /zarb-ml/mageia-dev/2012-November/020310.html | |
| parent | fa5098cf210b23ab4f419913e28af7b1b07dafb2 (diff) | |
| download | archives-master.tar archives-master.tar.gz archives-master.tar.bz2 archives-master.tar.xz archives-master.zip | |
Diffstat (limited to 'zarb-ml/mageia-dev/2012-November/020310.html')
| -rw-r--r-- | zarb-ml/mageia-dev/2012-November/020310.html | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/zarb-ml/mageia-dev/2012-November/020310.html b/zarb-ml/mageia-dev/2012-November/020310.html new file mode 100644 index 000000000..641950402 --- /dev/null +++ b/zarb-ml/mageia-dev/2012-November/020310.html @@ -0,0 +1,144 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> +<HTML> + <HEAD> + <TITLE> [Mageia-dev] OpenVPN + auth-user-pass + systemd password agents + </TITLE> + <LINK REL="Index" HREF="index.html" > + <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20OpenVPN%20%2B%20auth-user-pass%20%2B%20systemd%20password%20agents&In-Reply-To=%3C50B38869.5030200%40LinuxCabal.org%3E"> + <META NAME="robots" CONTENT="index,nofollow"> + <META http-equiv="Content-Type" content="text/html; charset=us-ascii"> + <LINK REL="Previous" HREF="020287.html"> + <LINK REL="Next" HREF="020352.html"> + </HEAD> + <BODY BGCOLOR="#ffffff"> + <H1>[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents</H1> + <B>Richard Couture</B> + <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20OpenVPN%20%2B%20auth-user-pass%20%2B%20systemd%20password%20agents&In-Reply-To=%3C50B38869.5030200%40LinuxCabal.org%3E" + TITLE="[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents">rrc at LinuxCabal.org + </A><BR> + <I>Mon Nov 26 16:19:05 CET 2012</I> + <P><UL> + <LI>Previous message: <A HREF="020287.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir) +</A></li> + <LI>Next message: <A HREF="020352.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#20310">[ date ]</a> + <a href="thread.html#20310">[ thread ]</a> + <a href="subject.html#20310">[ subject ]</a> + <a href="author.html#20310">[ author ]</a> + </LI> + </UL> + <HR> +<!--beginarticle--> +<PRE>I've googled for hours before writing the message and as usual, simply +increased my blood pressure with no solutions |-( Maybe you'll have +better luck. + + + +Richard + + +On 11/26/2012 07:42 AM, Colin Guthrie wrote: +><i> 'Twas brillig, and Richard Couture at 26/11/12 03:02 did gyre and gimble: +</I>>><i> I didn't mean to open a can of worms, but since it's open ... +</I>><i> +</I>><i> No worries. No worms here, just discussing some packaging related stuff. +</I>><i> +</I>>><i> with script-security 2 added to the client.conf, openvpn starts just +</I>>><i> fine with the command systemctl restart <A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">openvpn at client.service</A> +</I>><i> +</I>><i> Yes, the script-security stuff needs to go into the config. The sysvinit +</I>><i> script had a horrible hack to work around this not being there, but it's +</I>><i> really just that - a hack - and such black magic shouldn't be encouraged! +</I>><i> +</I>>><i> UNTIL +</I>>><i> you add the parameter auth-user-pass to the client.conf +</I>>><i> Once that param is added, openvpn refuses to start via systemD +</I>><i> +</I>><i> (small point, it's systemd, not systemD :)) +</I>><i> +</I>>><i> though it +</I>>><i> starts just fine via sys5 +</I>>><i> [<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">root at pwyr</A> openvpn]# cd /etc/init.d/ +</I>>><i> [<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">root at pwyr</A> init.d]# ./openvpn restart +</I>>><i> Shutting down openvpn: [ OK ] +</I>>><i> Starting openvpn: Enter Auth Username:rrc +</I>>><i> Enter Auth Password: +</I>>><i> [ OK ] +</I>>><i> Since were looking at openvpn, hopefully we can figure out what this is +</I>>><i> all about as this param is EXTREMELY important to harden the security of +</I>>><i> openvpn +</I>><i> +</I>><i> Right, I guess this is simply because it's using a somewhat legacy +</I>><i> method of getting the password form the user... +</I>><i> +</I>><i> It should really hook into the system used by other components to get +</I>><i> passwords from the user, including during early boot. This is used e.g. +</I>><i> to get the password for encrypted disk partitions and works nicely with +</I>><i> Plymouth for eye-candy as well as via the command line and even via +</I>><i> desktop environments if appropriate. +</I>><i> +</I>><i> <A HREF="http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents</A> +</I>><i> +</I>><i> I guess I'll need to look more into it to see what can be (or has been) +</I>><i> done to address this. It should be relatively simple in theory... +</I>><i> +</I>><i> If you are a hacker, feel free to look into this! (I've not googled or +</I>><i> anything so perhaps someone has done this already) +</I>><i> +</I>><i> +</I>><i> Col +</I>><i> +</I> +-- +LinuxCabal Asociación Civil +Ing. Richard Couture +Novell CNE, ECNE, MCNE +HP/Compaq ASE +Tel.: (+52) (333) 145-2638 +Cel.: (+52) (044) 333 377-7505 +Cel.: (+52) (044) 333 377-7506 +Web: <A HREF="http://www.LinuxCabal.org">http://www.LinuxCabal.org</A> +E-Mail: <A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">rrc at linuxcabal.org</A> +Hosted en la nube Cloud Sigma - www.CloudSigma.com + +AVISO DE CONFIDENCIALIDAD: Este correo electrónico, incluyendo en su +caso, los archivos adjuntos al mismo, pueden contener información de +carácter confidencial y/o privilegiada, y se envían a la atención única +y exclusivamente de la persona y/o entidad a quien va dirigido. La +copia, revisión, uso, revelación y/o distribución de dicha información +confidencial sin la autorización por escrito de LinuxCabal está +prohibida. Si usted no es el destinatario a quien se dirige el presente +correo, favor de contactar al remitente respondiendo al presente correo +y eliminar el correo original incluyendo sus archivos, así como +cualesquiera copia del mismo. Mediante la recepción del presente correo +usted reconoce y acepta que en caso de incumplimiento de su parte y/o de +sus representantes a los términos antes mencionados, LinuxCabal tendrá +derecho a los daños y perjuicios que esto le cause. + +</PRE> + + + +<!--endarticle--> + <HR> + <P><UL> + <!--threads--> + <LI>Previous message: <A HREF="020287.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir) +</A></li> + <LI>Next message: <A HREF="020352.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents +</A></li> + <LI> <B>Messages sorted by:</B> + <a href="date.html#20310">[ date ]</a> + <a href="thread.html#20310">[ thread ]</a> + <a href="subject.html#20310">[ subject ]</a> + <a href="author.html#20310">[ author ]</a> + </LI> + </UL> + +<hr> +<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev +mailing list</a><br> +</body></html> |