Am 28.02.18 um 14:19 schrieb David Sommerseth:
> It is not recommended to use --management on a TCP port without also
> adding a password authentication, as this can easily be abused by other
> users or processes being able to connect to the managmement interface.
>
> Thus issue a warning that this configuration is strongly discouraged.
>
> Signed-off-by: David Sommerseth <dav...@openvpn.net>
> ---
> src/openvpn/options.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 41a42cf2..e0c0894b 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options
> *options, const struct connec
> {
> msg(M_USAGE, "--management-client-(user|group) can only be used on
> unix domain sockets");
> }
> +
> + if (!(options->management_flags & MF_UNIX_SOCK)
> + && (!options->management_user_pass))
> + {
> + msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
> + "passwords is STRONGLY discouraged and considered insecure");
> + }
> +
> #endif
>
> /*
>
Does not break existing configs and warns about a real problem. Some
users of management might scream that, users now get a warning none was
before but honestely I don't care.
@All does our own Windows UI use management and if yes does it set a
random user/pw to connect to it?
Acked-By: Arne Schwabe <a...@rfc2549.org>
Arne
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
