Hi,
On Mon, Nov 20, 2017 at 7:37 PM, Jonathan K. Bullard <jkbull...@gmail.com>
wrote:
> HI, Selva, and thanks for your input.
>
> On Mon, Nov 20, 2017 at 7:17 PM, Selva <selva.n...@gmail.com> wrote:
> > Hi Jon,
> >
> >>
> >> Does the Windows GUI do anything with these "echo" parameters?
> >
> >
> > Very recently we added support for two echo "directives":
> > 'echo forget-passwords' and 'echo save-passwords': we use these as cue
> > to erase (or enable saving of) any saved passwords.
>
> Does "echo save-passwords" **force** the saving (without letting the
> user not save them?) Or does the Windows GUI give the user a choice?
> (Or does it always only give the users a choice if "echo
> save-passwords" was received?.) Does it save usernames, passwords, and
> passphrases (for keys), or just passwords?
>
We always save the username (there has been some complaints about it
but as of now that 'feature' remains).
As for passwords, the Windows GUI allows the user to optionally save
passwords encrypted using Windows Data Protect API. This
is done by presenting a check box in each password dialog that the user can
select or unselect. So each kind of password could be independently saved.
For the rest, see the commit message copied below:
Parse ECHO directives from openvpn
Support the following echo commands
- "echo forget-passwords": delete passwords internally saved by the GUI
but do not disable the password save feature. Useful when pushed
from the server so that it gets processed after authentication. Also
see
management-notes.txt in openvpn docs.
- "echo save-passwords": enables private-key and auth-user-pass
passwords
to be saved. Will be effective at startup only if present in the
config
file. If pushed from the server, will get used for subsequent
password prompts. Essentially this has the effect of presenting the
password
dialogs to the user with save-password checkbox selected. The user
may still
uncheck it during the dialog.
Note: echo commands are processed as and when they are received and in
the order
received.
TODO: support for "echo setenv name var", "echo disable-save-passwords"
etc..
>
>
> > Echo "commands"
> > are meant to be directives from openvpn (pushed from server or as present
> > in client config) to the GUI so no need to send it back to openvpn.
>
> OK, but It isn't clear to me what the OpenVPN client software does
> when it gets "forget-password": does it erase the password(s) **it**
> has saved in memory and then pass "forget-passwords" through the
> management interface? Or just pass it on without doing anything?
>
Yes, just act on it (or ignore it) -- nothing has to be passed back to the
management interface.
>
>
> > I plan to support "echo setenv .." as a way of asking the GUI to set
> > some vars in the env exported to scripts and may be directives like
> > 'echo disable-save passwords'.
>
> Thanks. I will probably do the same for Tunnelblick. (Sometime : )
>
> Would "echo disable-save-passwords" (two hyphens, right?) make it so
>
Yes, two hyphens: my bad..
> the user **can't** save passwords through the Windows GUI, and
> otherwise they would be able to? (I am not familiar enough with the
> Windows GUI to know if it usually offers that to the user; Tunnelblick
> offers separate checkboxes to save the username and password unless
> they are explicitly disabled via the configuration's Tunnelblick
> options.)
Windows GUI offers a way for administrators to switch-off the password save
feature through a global setting. My proposal is to have an
'echo disable-save-passwords' directive that has the same effect but could
be enforced from the server. Once disabled, the "save password" check
box is not shown in any password dialogs.
When pushed, this will cause any saved passwords (both Private Key
password and Auth password) to be purged. And, subsequent password
prompts will not show the checkbox for saving passwords.
> Interpreting something like 'echo msg "blah blah"' as a message to the
> user
> > could be a useful way of passing messages. Before we do that it would
> > be nice to have some standardization of echo directives.
>
Absolutely! +1
So we need an RFC -- or implement support for some directives and have
others
follow :)
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
