On Mon, Dec 12, 2016 at 3:09 AM, Samuli Seppänen <sam...@openvpn.net> wrote:
> Il 11/12/2016 19:52, Selva Nair ha scritto:
>
>>
>> On Sun, Dec 11, 2016 at 12:00 PM, debbie10t <debbie...@gmail.com
>> <mailto:debbie...@gmail.com>> wrote:
>>
>> What happens if a remote user, who has admin access to their own
>> computer, connects to a work VPN but they decide to change said
>> config ?
>>
>>
>> A user who has admin access to their own computer can do anything to it:
>> including saving VPN passwords. Why would openvpn stop them doing that?
>> The question was about a sysadmin of an office not allowing their users
>> to save their openvpn passwords in an automated way. There is no way of
>> ensuring that if the user has admin access on their devices. Note that
>> password is saved on the client, not the server.
>>
>
> There are many ways to circumvent password saving restrictions
if the enforcement is supposed to happen on the client side.
>
The server cannot enforce what a user does with his password, can it?
Unless one
uses some kind of OTP so that there is no savable password so to speak.
>
> Some years back I used xdotool[1] to manage keyboard input and mouse
movements to automate otherwise unautomateable things. While it's a
crude approach, it could be easily used to automate password typing and
mouse clicks. I'm sure similar tools are available for Windows.
Yeah, policies like no saving of passwords can be enforced only with user
co-operation.
But our prerogative here is to just provide a way for an admin to reliably
disable the password-save feature in the GUI. The question is how strong is
the case for something like that. I can see that if an establishment has a
policy that asks users not to save passwords, it wont be appropriate to
have UIs with enticing check-boxes to save passwords. Users installing a
hacked GUI or using automated key-strokes would be beyond us.
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
