From 1be510f9529cb082f802408b472a77d074b394c0 Mon Sep 17 00:00:00 2001 From: Nicolas Vigier Date: Sun, 14 Apr 2013 13:46:12 +0000 Subject: Add zarb MLs html archives --- zarb-ml/mageia-dev/2012-November/020287.html | 123 +++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) create mode 100644 zarb-ml/mageia-dev/2012-November/020287.html (limited to 'zarb-ml/mageia-dev/2012-November/020287.html') diff --git a/zarb-ml/mageia-dev/2012-November/020287.html b/zarb-ml/mageia-dev/2012-November/020287.html new file mode 100644 index 000000000..cff552b88 --- /dev/null +++ b/zarb-ml/mageia-dev/2012-November/020287.html @@ -0,0 +1,123 @@ + + + + [Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir) + + + + + + + + + +

[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir)

+ Colin Guthrie + mageia at colin.guthr.ie +
+ Mon Nov 26 14:42:05 CET 2012 +

+
+ +
'Twas brillig, and Richard Couture at 26/11/12 03:02 did gyre and gimble:
+> I didn't mean to open a can of worms, but since it's open ...
+
+No worries. No worms here, just discussing some packaging related stuff.
+
+> with script-security 2 added to the client.conf, openvpn starts just
+> fine with the command   systemctl restart openvpn at client.service
+
+Yes, the script-security stuff needs to go into the config. The sysvinit
+script had a horrible hack to work around this not being there, but it's
+really just that - a hack - and such black magic shouldn't be encouraged!
+
+> UNTIL
+> you add the parameter  auth-user-pass to the client.conf
+> Once that param is added, openvpn refuses to start via systemD 
+
+(small point, it's systemd, not systemD :))
+
+> though it
+> starts just fine via sys5
+> [root at pwyr openvpn]# cd /etc/init.d/
+> [root at pwyr init.d]# ./openvpn restart
+> Shutting down openvpn:                                     [  OK  ]
+> Starting openvpn: Enter Auth Username:rrc
+> Enter Auth Password:
+>                                                            [  OK  ]
+> Since were looking at openvpn, hopefully we can figure out what this is
+> all about as this param is EXTREMELY important to harden the security of
+> openvpn
+
+Right, I guess this is simply because it's using a somewhat legacy
+method of getting the password form the user...
+
+It should really hook into the system used by other components to get
+passwords from the user, including during early boot. This is used e.g.
+to get the password for encrypted disk partitions and works nicely with
+Plymouth for eye-candy as well as via the command line and even via
+desktop environments if appropriate.
+
+http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents
+
+I guess I'll need to look more into it to see what can be (or has been)
+done to address this. It should be relatively simple in theory...
+
+If you are a hacker, feel free to look into this! (I've not googled or
+anything so perhaps someone has done this already)
+
+
+Col
+
+-- 
+
+Colin Guthrie
+colin(at)mageia.org
+http://colin.guthr.ie/
+
+Day Job:
+  Tribalogic Limited http://www.tribalogic.net/
+Open Source:
+  Mageia Contributor http://www.mageia.org/
+  PulseAudio Hacker http://www.pulseaudio.org/
+  Trac Hacker http://trac.edgewall.org/
+
+ + + + + + + + +
+

+ +
+More information about the Mageia-dev +mailing list
+ -- cgit v1.2.1