Hi
I sat in on the meeting today 2016-02-01 as manhaton
Watching the discussion about elevated privileges regarding
a non-admin user interacting with the iservice, a subject to which
I am ignorant with regard to programming ..
Anyway, an idea struck me ...
It is a *little* off-piste so .. new thread.
Why not .. (pleaze shoot me down if this is stupid)
OpenVPN could HASH the *current* config file on the fly:
As the Client:
--verify-config-file ALG
ALG = algorithm
The result of which is stored within openvpn variable(s)
IV_CONF_ALG = algorithm
IV_CONF_HASH = result
and pushed to the server with other IV_* variables.
As the Server this is down to the admin to configure:
--verify-config-file ALG FILE ([0/1])
ALG = algorithm
FILE = a file containing expected HASH value(s)
(Could be a third option [0/1] to include server HASH)
if the value is matched the config passes etc.
All connecting clients which do not provide suitable HASH
are disconnected .. probably with SIGTERM->client.
+ If --verify-config-file is used in the server config
+ Could also verify IV_CONF_ALG with server env
*Maybe* hand-off the file searching to a script on the server
Not sure how effectively that could be done on windows ..
perhaps a plugin ?
Anyway, It looks ok to me but what do I know ?
Just a thought .. something for the wishlist ?
Thanks
