Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread fragmentux 



On 21/11/17 18:16, Selva wrote:

On Tue, Nov 21, 2017 at 12:17 PM, fragmentux  wrote:


Hi Selva,

On 21/11/17 16:32, Selva wrote:


Hi,






Presume that the user does not have admin rights :


A non-admin user could copy the admin protected config file from \program
files\openvpn\config -to- \users\$user\openvpn\config and modify it to
include the --pull-filter.



Will not work in 2.4 unless the user  is in OpenVPN Administrators
group which requires admin's blessings



The user *must* be a member of said group to successfully  use the GUI
anyway .. Thus, presuming the admin has made the user a member in order
to use the VPN at all, the user *can* (I just have on w10) modify the
config and run it.



Not really.

The GUI does not need the user to be a member of the that group to
successfully
use the interactive service and run as limited user.

You can install configs in the global location where user only has read
access, and
no membership in the said group is needed to use the interactive service.
Everything
should work with GUI and openvpn running as limited user and the
interactive service
handling privileged tasks.

This is useful even if the user knows the admin password: many users I help
are rather clueless and need and appreciate some protection from themselves.



Ah .. yes indeed. A nuance I was not aware of till now.

Thanks


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread Selva 
On Tue, Nov 21, 2017 at 12:17 PM, fragmentux  wrote:

> Hi Selva,
>
> On 21/11/17 16:32, Selva wrote:
>
>> Hi,
>>
>>>


 Presume that the user does not have admin rights :
>>>
>>> A non-admin user could copy the admin protected config file from \program
>>> files\openvpn\config -to- \users\$user\openvpn\config and modify it to
>>> include the --pull-filter.
>>>
>>>
>> Will not work in 2.4 unless the user  is in OpenVPN Administrators
>> group which requires admin's blessings
>>
>
> The user *must* be a member of said group to successfully  use the GUI
> anyway .. Thus, presuming the admin has made the user a member in order
> to use the VPN at all, the user *can* (I just have on w10) modify the
> config and run it.


Not really.

The GUI does not need the user to be a member of the that group to
successfully
use the interactive service and run as limited user.

You can install configs in the global location where user only has read
access, and
no membership in the said group is needed to use the interactive service.
Everything
should work with GUI and openvpn running as limited user and the
interactive service
handling privileged tasks.

This is useful even if the user knows the admin password: many users I help
are rather clueless and need and appreciate some protection from themselves.

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread Илья Шипицин 
2017-11-21 21:32 GMT+05:00 Selva :

> Hi,
>
> On Tue, Nov 21, 2017 at 10:32 AM, fragmentux  wrote:
>
>>
>>
>> On 21/11/17 13:20, Gert Doering wrote:
>>
>>> Hi,
>>>
>>> On Tue, Nov 21, 2017 at 12:10:05PM +, fragmentux wrote:
>>>
 Could this happen: --pull-filter ignore "echo disable-password-save" ..

 Or is the string processed prior to the --pull-filter ?

>>>
>>> A user who is able to modify his local config can do anything he
>>> wants, including reading username+password from a clear text file.
>>>
>>> So, while pull-filter will make openvpn ignore incoming "echo"
>>> statements,
>>> it has no relevance to the password saving and "who decides?" discussion.
>>>
>>> (A user who has *admin* rights could even install his own openvpn binary
>>> which does whatever he wants)
>>>
>>>
>> Presume that the user does not have admin rights :
>>
>> A non-admin user could copy the admin protected config file from \program
>> files\openvpn\config -to- \users\$user\openvpn\config and modify it to
>> include the --pull-filter.
>>
>
> Will not work in 2.4 unless the user  is in OpenVPN Administrators
> group which requires admin's blessings OR  runs openvpn without using
> the interactive service which will fail to add routes unless the user has
> admin rights.  (Some installations that need no extra routes may work
> without
> needing the service or admin rights, though.)
>
> That said, a limited user can install "his" own custom GUI in a private
> folder
> and bypass global settings and any echo directives. Custom GUI will not
> bypass the above mentioned validation as that is imposed by the service.
> Anyway, the purpose of these options is to help the user and admin to
> establish and convey some policies, not to enforce them.
>
> I generally encourage users to save passwords, lest they paste a
> password stickie on the monitor. But sometimes its prudent not to
> save passwords (laptops in the wild, for example) and  instead of
> burdening the user to remember this, I prefer not to show
> the password save checkbox. Pushing echo disable-save-passwords
> from ccd (or even echo forget-passwords) comes handy in such cases.
> By the way the former is still a proposed feature not present in any
> released version.
>

security approach has changed recently

https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity

it is no good to require periodic password change anymore
it is good to use password manager



>
> The commit message states:
>>   Note: echo commands are processed as and when they are received and in
>>   the order received.
>
> With --pull-filter in place should that read *if* and when they are
>> received ?
>
>
> "If" is implied by "as and when" -- if not received there is nothing to
> process.
> Here "received" refers to "received by the GUI" as this is a patch for the
> GUI.
> That requires the pulled echo to pass through pull-filter and option
> parsing. Only
> after that it gets sent to the management interface by openvpn and be
> received by the GUI.
>
> Selva
>
> 
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> ___
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread Gert Doering 
Hi,

On Tue, Nov 21, 2017 at 03:32:51PM +, fragmentux wrote:
> Presume that the user does not have admin rights :
> 
> A non-admin user could copy the admin protected config file from 
> \program files\openvpn\config -to- \users\$user\openvpn\config and 
> modify it to include the --pull-filter.
> 
> Would running openvpn-GUI on the modified config negate the pushed echo?

Of course it would.  If you filter push messages, they do not arrive.

As for any other pushed option.

gert

-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread Selva 
Hi,

On Tue, Nov 21, 2017 at 10:32 AM, fragmentux  wrote:

>
>
> On 21/11/17 13:20, Gert Doering wrote:
>
>> Hi,
>>
>> On Tue, Nov 21, 2017 at 12:10:05PM +, fragmentux wrote:
>>
>>> Could this happen: --pull-filter ignore "echo disable-password-save" ..
>>>
>>> Or is the string processed prior to the --pull-filter ?
>>>
>>
>> A user who is able to modify his local config can do anything he
>> wants, including reading username+password from a clear text file.
>>
>> So, while pull-filter will make openvpn ignore incoming "echo" statements,
>> it has no relevance to the password saving and "who decides?" discussion.
>>
>> (A user who has *admin* rights could even install his own openvpn binary
>> which does whatever he wants)
>>
>>
> Presume that the user does not have admin rights :
>
> A non-admin user could copy the admin protected config file from \program
> files\openvpn\config -to- \users\$user\openvpn\config and modify it to
> include the --pull-filter.
>

Will not work in 2.4 unless the user  is in OpenVPN Administrators
group which requires admin's blessings OR  runs openvpn without using
the interactive service which will fail to add routes unless the user has
admin rights.  (Some installations that need no extra routes may work
without
needing the service or admin rights, though.)

That said, a limited user can install "his" own custom GUI in a private
folder
and bypass global settings and any echo directives. Custom GUI will not
bypass the above mentioned validation as that is imposed by the service.
Anyway, the purpose of these options is to help the user and admin to
establish and convey some policies, not to enforce them.

I generally encourage users to save passwords, lest they paste a
password stickie on the monitor. But sometimes its prudent not to
save passwords (laptops in the wild, for example) and  instead of
burdening the user to remember this, I prefer not to show
the password save checkbox. Pushing echo disable-save-passwords
from ccd (or even echo forget-passwords) comes handy in such cases.
By the way the former is still a proposed feature not present in any
released version.

The commit message states:
>   Note: echo commands are processed as and when they are received and in
>   the order received.

With --pull-filter in place should that read *if* and when they are
> received ?


"If" is implied by "as and when" -- if not received there is nothing to
process.
Here "received" refers to "received by the GUI" as this is a patch for the
GUI.
That requires the pulled echo to pass through pull-filter and option
parsing. Only
after that it gets sent to the management interface by openvpn and be
received by the GUI.

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread Selva 
Hi,

On Tue, Nov 21, 2017 at 6:52 AM, Jan Just Keijser  wrote:

> Hi,
>
> On 21/11/17 11:02, Ralf Hildebrandt wrote:
>
>> * Jonathan K. Bullard :
>>
>>> Hi,
>>>
>>> On Mon, Nov 20, 2017 at 10:16 AM, Ralf Hildebrandt
>>>  wrote:
>>>
 My users primarily user Windows (OpenVPN-GUI), Tunnelblick. We do have
 some Linux users (mainyly using NetworkManager) and even 4 ChromeOS
 users.

 Is there any way for me to display informational messages on the
 users's computer when they're loggin in via VPN?

>>> Depending on what you mean by "loggin in via VPN". Do you mean
>>> "connecting to the VPN server",
>>>
>> Exactly that.
>>
>> Documentation [1] for the management interface's "echo" command says
>>> "Essentially the echo command allowed us to pass parameters from the
>>> OpenVPN server to the OpenVPN client, and then to the management
>>> client (such as a GUI)."
>>>
>>> Of course it requires the GUI (such as Tunnelblick) to do something
>>> with the "parameters". As far as I know, Tunnelblick doesn't currently
>>> do anything with these "parameters", but I'm open to extending
>>> Tunnelblick to do "something" with them.
>>>
>> ...
>>
>> Does the Windows GUI do anything with these "echo" parameters?
>>>
>> I'll have to test this.
>>
>> 'Core' OpenVPN certainly is not GUI-aware , and the current Windows
> OpenVPN GUI does not do anything with "echo" parameters -


FYI, this not correct. See my response earlier in the thread.
Though nothing yet that would permit sending custom messages from
the server.

It would be useful to add something like this to the Windows GUI (and also
> NetworkManager , perhaps), as in some companies you need a legal
> disclaimer before you start to use a network/application/VPN etc.


Something like a static legal disclaimer is easy -- just display it from
a "pre" script. No further co-operation from the GUI is needed.

For more dynamic stuff, echo could be used to pass short messages
(e.g., a 140 char tweet, not 280 -- something like 240 bytes may be the
max without jumping through some hoops), but currently the Windows GUI
does not pass any such info to scripts. There is a patch in the works to add
echo setenv which could be used to export some variables (after name
mangling)
to the up-script run by the GUI.

Selva
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread fragmentux 



On 21/11/17 13:20, Gert Doering wrote:

Hi,

On Tue, Nov 21, 2017 at 12:10:05PM +, fragmentux wrote:

Could this happen: --pull-filter ignore "echo disable-password-save" ..

Or is the string processed prior to the --pull-filter ?


A user who is able to modify his local config can do anything he
wants, including reading username+password from a clear text file.

So, while pull-filter will make openvpn ignore incoming "echo" statements,
it has no relevance to the password saving and "who decides?" discussion.

(A user who has *admin* rights could even install his own openvpn binary
which does whatever he wants)



Presume that the user does not have admin rights :

A non-admin user could copy the admin protected config file from 
\program files\openvpn\config -to- \users\$user\openvpn\config and 
modify it to include the --pull-filter.


Would running openvpn-GUI on the modified config negate the pushed echo?

(Note: this discussion is about the GUI and how it behaves, so there is 
no service in use to block the secondary use of the GUI on the same config)


The commit message states:
  Note: echo commands are processed as and when they are received and in
  the order received.

With --pull-filter in place should that read *if* and when they are 
received ?


Regards

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread Gert Doering 
Hi,

On Tue, Nov 21, 2017 at 12:10:05PM +, fragmentux wrote:
> Could this happen: --pull-filter ignore "echo disable-password-save" ..
> 
> Or is the string processed prior to the --pull-filter ?

A user who is able to modify his local config can do anything he
wants, including reading username+password from a clear text file.

So, while pull-filter will make openvpn ignore incoming "echo" statements,
it has no relevance to the password saving and "who decides?" discussion.

(A user who has *admin* rights could even install his own openvpn binary
which does whatever he wants)

gert
-- 
now what should I write here...

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread fragmentux 



On 21/11/17 01:16, Selva wrote:



We always save the username (there has been some complaints about it
but as of now that 'feature' remains).


I believe this should be removed. (my2c)

I know there is a work-around but generally work-arounds are "sticky 
tape n string" solutions to known bugs ..



Windows GUI offers a way for administrators to switch-off the password save
feature through a global setting. My proposal is to have an
'echo disable-save-passwords' directive that has the same effect but could
be enforced from the server. 


Could this happen: --pull-filter ignore "echo disable-password-save" ..

Or is the string processed prior to the --pull-filter ?

Regards

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread Jan Just Keijser 

Hi,

On 21/11/17 11:02, Ralf Hildebrandt wrote:

* Jonathan K. Bullard :

Hi,

On Mon, Nov 20, 2017 at 10:16 AM, Ralf Hildebrandt
 wrote:

My users primarily user Windows (OpenVPN-GUI), Tunnelblick. We do have
some Linux users (mainyly using NetworkManager) and even 4 ChromeOS
users.

Is there any way for me to display informational messages on the
users's computer when they're loggin in via VPN?

Depending on what you mean by "loggin in via VPN". Do you mean
"connecting to the VPN server",

Exactly that.


Documentation [1] for the management interface's "echo" command says
"Essentially the echo command allowed us to pass parameters from the
OpenVPN server to the OpenVPN client, and then to the management
client (such as a GUI)."

Of course it requires the GUI (such as Tunnelblick) to do something
with the "parameters". As far as I know, Tunnelblick doesn't currently
do anything with these "parameters", but I'm open to extending
Tunnelblick to do "something" with them.

...


Does the Windows GUI do anything with these "echo" parameters?

I'll have to test this.

'Core' OpenVPN certainly is not GUI-aware , and the current Windows OpenVPN GUI does not do anything with "echo" parameters - 
they can/might be displayed in the status/log window, but this is usually not visible to the user.   Of course, it is possible 
to add an GUI-specific "up.bat" file to do something with parameters that get pushed from the server, but you'd have to add this 
to all clients.
It would be useful to add something like this to the Windows GUI (and also NetworkManager , perhaps), as in some 
companies you need a legal disclaimer before you start to use a network/application/VPN etc.


JJK


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] Displaying messages to users by means of the GUI?

2017-11-21 Thread Ralf Hildebrandt 
* Jonathan K. Bullard :
> Hi,
> 
> On Mon, Nov 20, 2017 at 10:16 AM, Ralf Hildebrandt
>  wrote:
> > My users primarily user Windows (OpenVPN-GUI), Tunnelblick. We do have
> > some Linux users (mainyly using NetworkManager) and even 4 ChromeOS
> > users.
> >
> > Is there any way for me to display informational messages on the
> > users's computer when they're loggin in via VPN?
> 
> Depending on what you mean by "loggin in via VPN". Do you mean
> "connecting to the VPN server",

Exactly that.

> Documentation [1] for the management interface's "echo" command says
> "Essentially the echo command allowed us to pass parameters from the
> OpenVPN server to the OpenVPN client, and then to the management
> client (such as a GUI)."
> 
> Of course it requires the GUI (such as Tunnelblick) to do something
> with the "parameters". As far as I know, Tunnelblick doesn't currently
> do anything with these "parameters", but I'm open to extending
> Tunnelblick to do "something" with them.

...

> Does the Windows GUI do anything with these "echo" parameters?

I'll have to test this.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
https://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users