On 2015-10-23, Giancarlo Razzolini <grazzol...@gmail.com> wrote: > Em 23-10-2015 12:14, Tamas TEVESZ escreveu: >> case in point: openvpn passing username/password in the environment to >> openvpn_bsdauth. >> >> so there's actually a bit of a sensitive data in env that current >> wisdom rightly tends to want to junk as soon as possible.
I don't understand why openvpn doesn't just allow passing the username/password on a file descriptor to the authentication command. That would avoid the permission problems with via-file and the unsafe nature of via-env. I don't think there's anything you can do inside openvpn_bsdauth to prevent it from being seen with ps -e (but you do need root for that). > I wrote many years ago an openvpn plugin that would use getpwnam instead > of that PAM crap. I believe it's still around on sourceforge. so did Tamas, it's in ports.
