On Wed, Feb 08, 2017 at 11:58:32PM -0500, Selva Nair wrote: > Hi, > > On Wed, Feb 8, 2017 at 10:01 PM, Antonio Quartulli <a...@unstable.cc> wrote: > > > On Wed, Feb 08, 2017 at 02:25:44PM -0500, selva.n...@gmail.com wrote: > > > From: Selva Nair <selva.n...@gmail.com> > > > > > > - Keep the username even if auth-nocache is specified so that > > > any auth_token pushed by the server could be utilized > > > > This means that even when using no auth-token the username will be cached. > > Can this be a security concern? > > > > I would consider username as not sensitive material although not sure > everyone would agree. Unfortunately there is no way to know in advance that > auth-token may get pushed so I can't think of a good way of avoiding this. > A not so secure approach (I considered this first) would be to delay > clearing the username/password to post pushed-options processing, but then > one has to handle cases like what if the push reply never arrives and so > on.. In general its always better to clear sensitive data at the earliest. > > The way out would be to do one more purge_user_pass(.., false) after push > processing.. sigh.. will go there only if absolutely necessary.
Yesterday, while discussing the same issue on IRC, I came up with this patch: http://bpaste.net/show/153e8d51c02d It does indeed wait for the push-reply to come back before making a decision about wiping the user_pass object or not. This way also the user is wiped when nocache remains true. Not sure which approach is better though. Cheers, -- Antonio Quartulli
signature.asc
Description: Digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
