On Tuesday 28 February 2012 722:09:13 Carsten Krüger wrote:
> DS> Heiko can probably give a much better answer, but if I remember right,
> DS> the argument was this:  Think of a multi-user setup (like a Terminal
> DS> Server), the management interface will be accessible for all users on
> DS> that server.
> 
> a) Who an earth allows users on a terminal server to create VPN-sessions?
> What happens if one of the sessions use redirect gateway?
> All users are redirected?

That was actually an open question. I don't know if TS manages per session 
routing tables and haven't tried. However it was only an example and thus 
didn't have to make any practical sense. =)
 
> I don't think that this is a valid point.

The thing is that you need a second communication channel for requesting 
privileged operations. The management interface won't do, because the GUI 
(hopefully) runs with an unprivileged token. So the distinction between both 
is:

  * mgmt itf for interactive communication with the user 
  * privilege channel for requesting operations that require elevation
 
> Privilege seperation in openvnp deamon is nice, but is a complete
> different thing than management interface access.

It is, you got it right.

> In openvpn case it should be something like this:
> openvpnserv.exe running as a service, has no privileges and opens
> management interface
> openvpnhelpserv.exe running as a service has network operator rights
> (no need for local system ...)
> 
> openvpnserv and openvpnhelpserv could communicate via pipe.
> 
> openvpn-management client (could be a perl script) connects to
> management interface of openvpnserv.exe to start/stop a tunnel and
> supply secrets.

You forgot the GUI in this picture. If the service is connected to the 
management interface the GUI can't connect anymore. It need to to get things 
done, though.
 
> DS> And how this is implemented, the OpenVPN Service will be started
> DS> automatically.  The GUI contacts the Service and the service starts the
> DS> OpenVPN process with the privileges of the GUI user (IIRC, it was some
> DS> neat Windows functions which allows to create processes with privileges
> DS> based upon the user credentials of the other side of the named pipe).
> 
> The sounds very bad.
> The service shouldn't create processes in the name of the user.

Interesting, could you elaborate?

> DS> This service should be able to (for now only in theory; it has not been
> DS> tested yet) handle more users simultaneously.
> 
> Pretty useless, see above

Not users, really. More like session. So you can connect to different server 
simultaneously. Of course this could be used by two different users at the 
same time or different impersonations in the same session, while still running 
ovpn with the credentials of the entity who started openvpn. So the point 
isn't really that many user can connect, but that the running sessions will be 
isolated from each other by the service.

Regards
Heiko
-- 
Heiko Hund | Software Engineer | Phone +49-721-25516-237 | Fax -200
Astaro a Sophos Company | Amalienbadstr. 41 Bau 52 | 76227 Karlsruhe | Germany
Commercial Register: Mannheim HRA 702710 | Headquarter Location: Karlsruhe
 
Represented by the General Partner Astaro Verwaltungs GmbH
Amalienbadstraße 41 Bau 52 | 76227 Karlsruhe | Germany 
Commercial Register: Mannheim HRB 708248 | Executive Board: Gert Hansen,
Markus Hennig, Jan Hichert, Günter Junk, Dr. Frank Nellissen


Reply via email to