1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE> [Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir)
</TITLE>
<LINK REL="Index" HREF="index.html" >
<LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20OpenVPN%20%2B%20auth-user-pass%20%2B%20systemd%20password%20agents%0A%20%28was%3A%20Re%3A%20OpenVPN%20missing%20PID%20dir%29&In-Reply-To=%3C50B371AD.8090309%40colin.guthr.ie%3E">
<META NAME="robots" CONTENT="index,nofollow">
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<LINK REL="Previous" HREF="020275.html">
<LINK REL="Next" HREF="020310.html">
</HEAD>
<BODY BGCOLOR="#ffffff">
<H1>[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir)</H1>
<B>Colin Guthrie</B>
<A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20OpenVPN%20%2B%20auth-user-pass%20%2B%20systemd%20password%20agents%0A%20%28was%3A%20Re%3A%20OpenVPN%20missing%20PID%20dir%29&In-Reply-To=%3C50B371AD.8090309%40colin.guthr.ie%3E"
TITLE="[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir)">mageia at colin.guthr.ie
</A><BR>
<I>Mon Nov 26 14:42:05 CET 2012</I>
<P><UL>
<LI>Previous message: <A HREF="020275.html">[Mageia-dev] OpenVPN missing PID dir
</A></li>
<LI>Next message: <A HREF="020310.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#20287">[ date ]</a>
<a href="thread.html#20287">[ thread ]</a>
<a href="subject.html#20287">[ subject ]</a>
<a href="author.html#20287">[ author ]</a>
</LI>
</UL>
<HR>
<!--beginarticle-->
<PRE>'Twas brillig, and Richard Couture at 26/11/12 03:02 did gyre and gimble:
><i> I didn't mean to open a can of worms, but since it's open ...
</I>
No worries. No worms here, just discussing some packaging related stuff.
><i> with script-security 2 added to the client.conf, openvpn starts just
</I>><i> fine with the command systemctl restart <A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">openvpn at client.service</A>
</I>
Yes, the script-security stuff needs to go into the config. The sysvinit
script had a horrible hack to work around this not being there, but it's
really just that - a hack - and such black magic shouldn't be encouraged!
><i> UNTIL
</I>><i> you add the parameter auth-user-pass to the client.conf
</I>><i> Once that param is added, openvpn refuses to start via systemD
</I>
(small point, it's systemd, not systemD :))
><i> though it
</I>><i> starts just fine via sys5
</I>><i> [<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">root at pwyr</A> openvpn]# cd /etc/init.d/
</I>><i> [<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">root at pwyr</A> init.d]# ./openvpn restart
</I>><i> Shutting down openvpn: [ OK ]
</I>><i> Starting openvpn: Enter Auth Username:rrc
</I>><i> Enter Auth Password:
</I>><i> [ OK ]
</I>><i> Since were looking at openvpn, hopefully we can figure out what this is
</I>><i> all about as this param is EXTREMELY important to harden the security of
</I>><i> openvpn
</I>
Right, I guess this is simply because it's using a somewhat legacy
method of getting the password form the user...
It should really hook into the system used by other components to get
passwords from the user, including during early boot. This is used e.g.
to get the password for encrypted disk partitions and works nicely with
Plymouth for eye-candy as well as via the command line and even via
desktop environments if appropriate.
<A HREF="http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents</A>
I guess I'll need to look more into it to see what can be (or has been)
done to address this. It should be relatively simple in theory...
If you are a hacker, feel free to look into this! (I've not googled or
anything so perhaps someone has done this already)
Col
--
Colin Guthrie
colin(at)mageia.org
<A HREF="http://colin.guthr.ie/">http://colin.guthr.ie/</A>
Day Job:
Tribalogic Limited <A HREF="http://www.tribalogic.net/">http://www.tribalogic.net/</A>
Open Source:
Mageia Contributor <A HREF="http://www.mageia.org/">http://www.mageia.org/</A>
PulseAudio Hacker <A HREF="http://www.pulseaudio.org/">http://www.pulseaudio.org/</A>
Trac Hacker <A HREF="http://trac.edgewall.org/">http://trac.edgewall.org/</A>
</PRE>
<!--endarticle-->
<HR>
<P><UL>
<!--threads-->
<LI>Previous message: <A HREF="020275.html">[Mageia-dev] OpenVPN missing PID dir
</A></li>
<LI>Next message: <A HREF="020310.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents
</A></li>
<LI> <B>Messages sorted by:</B>
<a href="date.html#20287">[ date ]</a>
<a href="thread.html#20287">[ thread ]</a>
<a href="subject.html#20287">[ subject ]</a>
<a href="author.html#20287">[ author ]</a>
</LI>
</UL>
<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>
|
