Am Sun, 6 Dec 2020 16:06:19 +0100
schrieb Arne Schwabe <a...@rfc2549.org>:
> Am 06.12.2020 um 14:51 schrieb Michael Kress:
[..]
> > Looking at check_incoming_control_channel_dowork() makes me think,
> > if there could exist another PUSH_command that could be very
> > generic and address code in a loaded plugin? Such a plugin could
> > rewrite the local configuration file of the client.
>
> For limited communiction we already have --echo and push-peer-info
> with UV_* variables.
Hm, eventually this could be used.
[..]
> > This could help admins, that have to maintain a bigger VPN
> > installation.
>
> To be honest I don't see the target audience like you do. Big central
> adminstrated setup will use their existing management software for
> managing client configuration and small admin will want to avoid to
> setup a mechanism like this. Also you are assuming a trust model
> ("client has ulimited trust of server") that is generally not there.
>
> Also since we have script setup etc and openpvn is often run with
> evelated privileges, a config file can be used to gain these evalated
> privilges. So this mechanism will be a potential security problem.
>
> And finally adding file management/config management feels like
> adding functionality to OpenVPN that is really outside its scope. I
> also not aware of any other TLS or certificate based protocol that
> offers anything like this.
Yes, the Unix philosophy "one tool, one task" is a good one, that
this idea would compromise.
Thanks for your honesty and time! I won't follow that idea any longer.
Eventually my view was a tad too narrow.
--
Servus
Michael
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
