zarb-ml/mageia-dev/2012-November/020310.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
 <HEAD>
   <TITLE> [Mageia-dev] OpenVPN + auth-user-pass + systemd password agents
   </TITLE>
   <LINK REL="Index" HREF="index.html" >
   <LINK REL="made" HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20OpenVPN%20%2B%20auth-user-pass%20%2B%20systemd%20password%20agents&In-Reply-To=%3C50B38869.5030200%40LinuxCabal.org%3E">
   <META NAME="robots" CONTENT="index,nofollow">
   <META http-equiv="Content-Type" content="text/html; charset=us-ascii">
   <LINK REL="Previous"  HREF="020287.html">
   <LINK REL="Next"  HREF="020352.html">
 </HEAD>
 <BODY BGCOLOR="#ffffff">
   <H1>[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents</H1>
    <B>Richard Couture</B> 
    <A HREF="mailto:mageia-dev%40mageia.org?Subject=Re%3A%20%5BMageia-dev%5D%20OpenVPN%20%2B%20auth-user-pass%20%2B%20systemd%20password%20agents&In-Reply-To=%3C50B38869.5030200%40LinuxCabal.org%3E"
       TITLE="[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents">rrc at LinuxCabal.org
       </A><BR>
    <I>Mon Nov 26 16:19:05 CET 2012</I>
    <P><UL>
        <LI>Previous message: <A HREF="020287.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir)
</A></li>
        <LI>Next message: <A HREF="020352.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#20310">[ date ]</a>
              <a href="thread.html#20310">[ thread ]</a>
              <a href="subject.html#20310">[ subject ]</a>
              <a href="author.html#20310">[ author ]</a>
         </LI>
       </UL>
    <HR>  
<!--beginarticle-->
<PRE>I've googled for hours before writing the message and as usual, simply 
increased my blood pressure with no solutions |-( Maybe you'll have 
better luck.


Richard


On 11/26/2012 07:42 AM, Colin Guthrie wrote:
&gt;<i> 'Twas brillig, and Richard Couture at 26/11/12 03:02 did gyre and gimble:
</I>&gt;&gt;<i> I didn't mean to open a can of worms, but since it's open ...
</I>&gt;<i>
</I>&gt;<i> No worries. No worms here, just discussing some packaging related stuff.
</I>&gt;<i>
</I>&gt;&gt;<i> with script-security 2 added to the client.conf, openvpn starts just
</I>&gt;&gt;<i> fine with the command   systemctl restart <A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">openvpn at client.service</A>
</I>&gt;<i>
</I>&gt;<i> Yes, the script-security stuff needs to go into the config. The sysvinit
</I>&gt;<i> script had a horrible hack to work around this not being there, but it's
</I>&gt;<i> really just that - a hack - and such black magic shouldn't be encouraged!
</I>&gt;<i>
</I>&gt;&gt;<i> UNTIL
</I>&gt;&gt;<i> you add the parameter  auth-user-pass to the client.conf
</I>&gt;&gt;<i> Once that param is added, openvpn refuses to start via systemD
</I>&gt;<i>
</I>&gt;<i> (small point, it's systemd, not systemD :))
</I>&gt;<i>
</I>&gt;&gt;<i> though it
</I>&gt;&gt;<i> starts just fine via sys5
</I>&gt;&gt;<i> [<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">root at pwyr</A> openvpn]# cd /etc/init.d/
</I>&gt;&gt;<i> [<A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">root at pwyr</A> init.d]# ./openvpn restart
</I>&gt;&gt;<i> Shutting down openvpn:                                     [  OK  ]
</I>&gt;&gt;<i> Starting openvpn: Enter Auth Username:rrc
</I>&gt;&gt;<i> Enter Auth Password:
</I>&gt;&gt;<i>                                                             [  OK  ]
</I>&gt;&gt;<i> Since were looking at openvpn, hopefully we can figure out what this is
</I>&gt;&gt;<i> all about as this param is EXTREMELY important to harden the security of
</I>&gt;&gt;<i> openvpn
</I>&gt;<i>
</I>&gt;<i> Right, I guess this is simply because it's using a somewhat legacy
</I>&gt;<i> method of getting the password form the user...
</I>&gt;<i>
</I>&gt;<i> It should really hook into the system used by other components to get
</I>&gt;<i> passwords from the user, including during early boot. This is used e.g.
</I>&gt;<i> to get the password for encrypted disk partitions and works nicely with
</I>&gt;<i> Plymouth for eye-candy as well as via the command line and even via
</I>&gt;<i> desktop environments if appropriate.
</I>&gt;<i>
</I>&gt;<i> <A HREF="http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents">http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents</A>
</I>&gt;<i>
</I>&gt;<i> I guess I'll need to look more into it to see what can be (or has been)
</I>&gt;<i> done to address this. It should be relatively simple in theory...
</I>&gt;<i>
</I>&gt;<i> If you are a hacker, feel free to look into this! (I've not googled or
</I>&gt;<i> anything so perhaps someone has done this already)
</I>&gt;<i>
</I>&gt;<i>
</I>&gt;<i> Col
</I>&gt;<i>
</I>
-- 
LinuxCabal Asociaci&#243;n Civil
Ing. Richard Couture
Novell CNE, ECNE, MCNE
HP/Compaq ASE
Tel.: (+52) (333) 145-2638
Cel.: (+52) (044) 333 377-7505
Cel.: (+52) (044) 333 377-7506
Web: <A HREF="http://www.LinuxCabal.org">http://www.LinuxCabal.org</A>
E-Mail: <A HREF="https://www.mageia.org/mailman/listinfo/mageia-dev">rrc at linuxcabal.org</A>
Hosted en la nube Cloud Sigma - www.CloudSigma.com

AVISO DE CONFIDENCIALIDAD: Este correo electr&#243;nico, incluyendo en su 
caso, los archivos adjuntos al mismo, pueden contener informaci&#243;n de 
car&#225;cter confidencial y/o privilegiada, y se env&#237;an a la atenci&#243;n &#250;nica 
y exclusivamente de la persona y/o entidad a quien va dirigido. La 
copia, revisi&#243;n, uso, revelaci&#243;n y/o distribuci&#243;n de dicha informaci&#243;n 
confidencial sin la autorizaci&#243;n por escrito de LinuxCabal est&#225; 
prohibida. Si usted no es el destinatario a quien se dirige el presente 
correo, favor de contactar al remitente respondiendo al presente correo 
y eliminar el correo original incluyendo sus archivos, as&#237; como 
cualesquiera copia del mismo. Mediante la recepci&#243;n del presente correo 
usted reconoce y acepta que en caso de incumplimiento de su parte y/o de 
sus representantes a los t&#233;rminos antes mencionados, LinuxCabal tendr&#225; 
derecho a los da&#241;os y perjuicios que esto le cause.

</PRE>


<!--endarticle-->
    <HR>
    <P><UL>
        <!--threads-->
	<LI>Previous message: <A HREF="020287.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents (was: Re: OpenVPN missing PID dir)
</A></li>
	<LI>Next message: <A HREF="020352.html">[Mageia-dev] OpenVPN + auth-user-pass + systemd password agents
</A></li>
         <LI> <B>Messages sorted by:</B> 
              <a href="date.html#20310">[ date ]</a>
              <a href="thread.html#20310">[ thread ]</a>
              <a href="subject.html#20310">[ subject ]</a>
              <a href="author.html#20310">[ author ]</a>
         </LI>
       </UL>

<hr>
<a href="https://www.mageia.org/mailman/listinfo/mageia-dev">More information about the Mageia-dev
mailing list</a><br>
</body></html>