On Sunday 04 July 2004 04:37, Jan Kiszka wrote: > >>Thinking ahead, the challenge/response sequence for passing > >> authentication info should be open-ended to provide for future > >> implementation of alternative authentication methods such as Radius, > >> LDAP, NT Auth, etc. > > > > Please don't do too much of that. I've seen this auth featuritis creeping > > in ntp and ups tools(!). Results ain't pretty... > > > > Reconfiguration of openvpn can always be done by editing config file > > and restarting openvpn daemon. Simple. Elegant. No additional coding > > - no risk of introducing bugs. > > > > This can be done via systray app, too. > > I can understand your concerns, and mostly you are right. However, there > is one quite important scenario - at least as I see it - where you need > the core daemon and the GUI running in different accounts: whenever the > key or secret has to be looked away from the user while it shall still > be possible for her/him to start/stop VPN connections. One reason for
Easy. openvpn shall start in admin account, then read the key, and *then* change its uid to the uid killable by user. -- vda
