I've googled for hours before writing the message and as usual, simply
increased my blood pressure with no solutions |-( Maybe you'll have
better luck.
Richard
On 11/26/2012 07:42 AM, Colin Guthrie wrote:
'Twas brillig, and Richard Couture at 26/11/12 03:02 did gyre and gimble:
I didn't mean to open a can of worms, but since it's open ...
No worries. No worms here, just discussing some packaging related stuff.
with script-security 2 added to the client.conf, openvpn starts just
fine with the command systemctl restart [email protected]
Yes, the script-security stuff needs to go into the config. The sysvinit
script had a horrible hack to work around this not being there, but it's
really just that - a hack - and such black magic shouldn't be encouraged!
UNTIL
you add the parameter auth-user-pass to the client.conf
Once that param is added, openvpn refuses to start via systemD
(small point, it's systemd, not systemD :))
though it
starts just fine via sys5
[root@pwyr openvpn]# cd /etc/init.d/
[root@pwyr init.d]# ./openvpn restart
Shutting down openvpn: [ OK ]
Starting openvpn: Enter Auth Username:rrc
Enter Auth Password:
[ OK ]
Since were looking at openvpn, hopefully we can figure out what this is
all about as this param is EXTREMELY important to harden the security of
openvpn
Right, I guess this is simply because it's using a somewhat legacy
method of getting the password form the user...
It should really hook into the system used by other components to get
passwords from the user, including during early boot. This is used e.g.
to get the password for encrypted disk partitions and works nicely with
Plymouth for eye-candy as well as via the command line and even via
desktop environments if appropriate.
http://www.freedesktop.org/wiki/Software/systemd/PasswordAgents
I guess I'll need to look more into it to see what can be (or has been)
done to address this. It should be relatively simple in theory...
If you are a hacker, feel free to look into this! (I've not googled or
anything so perhaps someone has done this already)
Col
--
LinuxCabal Asociación Civil
Ing. Richard Couture
Novell CNE, ECNE, MCNE
HP/Compaq ASE
Tel.: (+52) (333) 145-2638
Cel.: (+52) (044) 333 377-7505
Cel.: (+52) (044) 333 377-7506
Web: http://www.LinuxCabal.org
E-Mail: [email protected]
Hosted en la nube Cloud Sigma - www.CloudSigma.com
AVISO DE CONFIDENCIALIDAD: Este correo electrónico, incluyendo en su
caso, los archivos adjuntos al mismo, pueden contener información de
carácter confidencial y/o privilegiada, y se envían a la atención única
y exclusivamente de la persona y/o entidad a quien va dirigido. La
copia, revisión, uso, revelación y/o distribución de dicha información
confidencial sin la autorización por escrito de LinuxCabal está
prohibida. Si usted no es el destinatario a quien se dirige el presente
correo, favor de contactar al remitente respondiendo al presente correo
y eliminar el correo original incluyendo sus archivos, así como
cualesquiera copia del mismo. Mediante la recepción del presente correo
usted reconoce y acepta que en caso de incumplimiento de su parte y/o de
sus representantes a los términos antes mencionados, LinuxCabal tendrá
derecho a los daños y perjuicios que esto le cause.
