Re: [Openvpn-devel] On saving passwords

2016-12-12 Thread Selva Nair
On Mon, Dec 12, 2016 at 3:09 AM, Samuli Seppänen  wrote:

> Il 11/12/2016 19:52, Selva Nair ha scritto:
>
>>
>> On Sun, Dec 11, 2016 at 12:00 PM, debbie10t > > wrote:
>>
>> What happens if a remote user, who has admin access to their own
>> computer, connects to a work VPN but they decide to change said
>> config ?
>>
>>
>> A user who has admin access to their own computer can do anything to it:
>> including saving VPN passwords. Why would openvpn stop them doing that?
>> The question was about a sysadmin of an office not allowing their users
>> to save their openvpn passwords in an automated way. There is no way of
>> ensuring that if the user has admin access on their devices. Note that
>> password is saved on the client, not the server.
>>
>
> There are many ways to circumvent password saving restrictions

if the enforcement is supposed to happen on the client side.
>

The server cannot enforce what a user does with his password, can it?
Unless one
uses some kind of OTP so that there is no savable password so to speak.

>
> Some years back I used xdotool[1] to manage keyboard input and mouse

movements to automate otherwise unautomateable things. While it's a

crude approach, it could be easily used to automate password typing and

mouse clicks. I'm sure similar tools are available for Windows.


Yeah, policies like no saving of passwords can be enforced only with user
co-operation.

But our prerogative here is to just provide a way for an admin to reliably
disable the password-save feature in the GUI. The question is how strong is
the case for something like that. I can see that if an establishment has a
policy that asks users not to save passwords, it wont be appropriate to
have UIs with enticing check-boxes to save passwords. Users installing a
hacked GUI or using automated key-strokes would be beyond us.

Selva
--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] On saving passwords

2016-12-12 Thread Илья Шипицин
2016-12-12 13:09 GMT+05:00 Samuli Seppänen :

> Il 11/12/2016 19:52, Selva Nair ha scritto:
> >
> > On Sun, Dec 11, 2016 at 12:00 PM, debbie10t  > > wrote:
> >
> > What happens if a remote user, who has admin access to their own
> > computer, connects to a work VPN but they decide to change said
> config ?
> >
> >
> > A user who has admin access to their own computer can do anything to it:
> > including saving VPN passwords. Why would openvpn stop them doing that?
> > The question was about a sysadmin of an office not allowing their users
> > to save their openvpn passwords in an automated way. There is no way of
> > ensuring that if the user has admin access on their devices. Note that
> > password is saved on the client, not the server.
>
> There are many ways to circumvent password saving restrictions if the
> enforcement is supposed to happen on the client side.
>
> Some years back I used xdotool[1] to manage keyboard input and mouse
> movements to automate otherwise unautomateable things. While it's a
> crude approach, it could be easily used to automate password typing and
> mouse clicks. I'm sure similar tools are available for Windows.
>

https://www.autoitscript.com/site/autoit/


>
> --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
> [1] 
>
>
> 
> --
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.http://sdm.link/xeonphi
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] On saving passwords

2016-12-12 Thread Samuli Seppänen
Il 11/12/2016 19:52, Selva Nair ha scritto:
>
> On Sun, Dec 11, 2016 at 12:00 PM, debbie10t  > wrote:
>
> What happens if a remote user, who has admin access to their own
> computer, connects to a work VPN but they decide to change said config ?
>
>
> A user who has admin access to their own computer can do anything to it:
> including saving VPN passwords. Why would openvpn stop them doing that?
> The question was about a sysadmin of an office not allowing their users
> to save their openvpn passwords in an automated way. There is no way of
> ensuring that if the user has admin access on their devices. Note that
> password is saved on the client, not the server.

There are many ways to circumvent password saving restrictions if the 
enforcement is supposed to happen on the client side.

Some years back I used xdotool[1] to manage keyboard input and mouse 
movements to automate otherwise unautomateable things. While it's a 
crude approach, it could be easily used to automate password typing and 
mouse clicks. I'm sure similar tools are available for Windows.

-- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock

[1] 


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] On saving passwords

2016-12-11 Thread Selva Nair
On Sun, Dec 11, 2016 at 9:50 PM, Jonathan K. Bullard 
wrote:

But seeing this thread, I am considering having Tunnelblick block
> saving/retrieving of the username or password if --auth-nocache is
> specified in the configuration file. That should make it easier for
> admins because they wouldn't have to set the Tunnelblick preferences.
> I would probably keep the existing mechanism so an admin could allow
> __OpenVPN__ to cache the username/password but not allow the __user__
> to store them.
>

What I've in mind for Windows GUI is to just interpret --auth-nocache to
mean do not save passwords. But if you already have an option to disable it
independently, makes sense to keep it and add this in addition to it.

 Question: Can --auth-nocache be pushed by the server


> If so, is there some way that the management interface specifies that
> --auth-nocache is active when asking for a username/password?


No it cannot be pushed.

If it ever becomes pushable, we should add a don't-cache (and/or
don't-save) hint to the password prompt. Similar to how challenge response
echo directive could be embedded in the prompt. The alternate of parsing
the log for pushed options would be a major pain.. Such a hint or directive
in the prompt is something I would like to have even otherwise.

Selva
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] On saving passwords

2016-12-11 Thread Selva Nair
Hi,

On Sun, Dec 11, 2016 at 9:06 AM, debbie10t  wrote:

> I think it is down to individual server admins to make this call ..
> If they have a policy which demands that passwords not be saved and
> openvpn does not have a robust method to do so, what will they do ?
>

Agreed, GUI should somehow allow an admin to disable  the save password
feature.


> Is it possible to have --push "auth-nocache-override" which enables
> client --auth-nocache and cannot be filtered out ?
>

This is not required: the code already has restrictions in place so that a
limited user running an arbitrary config through interactive service is not
possible unless the admin permits them to do so. So keeping the config file
readonly for users is enough to protect --auth-nocache.

If we also make the GUI not to save passwords when --auth-nocache is
present in the config, that should be robust enough.

Selva
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] On saving passwords

2016-12-11 Thread debbie10t


On 09/12/16 17:38, Selva Nair wrote:
> Hi,
>
> A comment  on the GUI github page said:
>
> "For ISO27001 certification, we are not allowed to let users save their VPN
> passwords locally. Is there a way to remove or disable the 'save password'
> box upon authentication ?"
>
> Although I suggested to use an up script to delete the saved password, the
> GUI displaying a checkbox to save password may not be acceptable to some
> setups. Any idea how widespread a concern is this? Note that the GUI saves
> it encrypted. Personally I believe not saving passwords encourages users to
> choose weak passwords, but we could make the GUI respect any --auth-nocache
> in the config.
>
> More info here (https://github.com/OpenVPN/openvpn-gui/issues/105)
>
> Thanks,
>
> Selva
>

my2c

I think it is down to individual server admins to make this call ..
If they have a policy which demands that passwords not be saved and
openvpn does not have a robust method to do so, what will they do ?

Is it possible to have --push "auth-nocache-override" which enables
client --auth-nocache and cannot be filtered out ?

Regards

--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


Re: [Openvpn-devel] On saving passwords

2016-12-09 Thread Илья Шипицин
9 дек. 2016 г. 22:40 пользователь "Selva Nair" 
написал:

Hi,

A comment  on the GUI github page said:

"For ISO27001 certification, we are not allowed to let users save their VPN
passwords locally. Is there a way to remove or disable the 'save password'
box upon authentication ?"

Although I suggested to use an up script to delete the saved password, the
GUI displaying a checkbox to save password may not be acceptable to some
setups. Any idea how widespread a concern is this? Note that the GUI saves
it encrypted. Personally I believe not saving passwords encourages users to
choose weak passwords, but we could make the GUI respect any --auth-nocache
in the config.



There might be some interest for FIPS or ISO27001 variants, we may run some
questionary to investigate that.

It also makes sense to make default openvpn software to satisfy those
standards. I've idea is it possible or not.


More info here (https://github.com/OpenVPN/openvpn-gui/issues/105)

Thanks,

Selva


--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel


[Openvpn-devel] On saving passwords

2016-12-09 Thread Selva Nair
Hi,

A comment  on the GUI github page said:

"For ISO27001 certification, we are not allowed to let users save their VPN
passwords locally. Is there a way to remove or disable the 'save password'
box upon authentication ?"

Although I suggested to use an up script to delete the saved password, the
GUI displaying a checkbox to save password may not be acceptable to some
setups. Any idea how widespread a concern is this? Note that the GUI saves
it encrypted. Personally I believe not saving passwords encourages users to
choose weak passwords, but we could make the GUI respect any --auth-nocache
in the config.

More info here (https://github.com/OpenVPN/openvpn-gui/issues/105)

Thanks,

Selva
--
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel