2017-11-21 21:32 GMT+05:00 Selva <selva.n...@gmail.com>:
> Hi,
>
> On Tue, Nov 21, 2017 at 10:32 AM, fragmentux <fragmen...@gmail.com> wrote:
>
>>
>>
>> On 21/11/17 13:20, Gert Doering wrote:
>>
>>> Hi,
>>>
>>> On Tue, Nov 21, 2017 at 12:10:05PM +0000, fragmentux wrote:
>>>
>>>> Could this happen: --pull-filter ignore "echo disable-password-save" ..
>>>>
>>>> Or is the string processed prior to the --pull-filter ?
>>>>
>>>
>>> A user who is able to modify his local config can do anything he
>>> wants, including reading username+password from a clear text file.
>>>
>>> So, while pull-filter will make openvpn ignore incoming "echo"
>>> statements,
>>> it has no relevance to the password saving and "who decides?" discussion.
>>>
>>> (A user who has *admin* rights could even install his own openvpn binary
>>> which does whatever he wants)
>>>
>>>
>> Presume that the user does not have admin rights :
>>
>> A non-admin user could copy the admin protected config file from \program
>> files\openvpn\config -to- \users\$user\openvpn\config and modify it to
>> include the --pull-filter.
>>
>
> Will not work in 2.4 unless the user is in OpenVPN Administrators
> group which requires admin's blessings OR runs openvpn without using
> the interactive service which will fail to add routes unless the user has
> admin rights. (Some installations that need no extra routes may work
> without
> needing the service or admin rights, though.)
>
> That said, a limited user can install "his" own custom GUI in a private
> folder
> and bypass global settings and any echo directives. Custom GUI will not
> bypass the above mentioned validation as that is imposed by the service.
> Anyway, the purpose of these options is to help the user and admin to
> establish and convey some policies, not to enforce them.
>
> I generally encourage users to save passwords, lest they paste a
> password stickie on the monitor. But sometimes its prudent not to
> save passwords (laptops in the wild, for example) and instead of
> burdening the user to remember this, I prefer not to show
> the password save checkbox. Pushing echo disable-save-passwords
> from ccd (or even echo forget-passwords) comes handy in such cases.
> By the way the former is still a proposed feature not present in any
> released version.
>
security approach has changed recently
https://www.theverge.com/2017/8/7/16107966/password-tips-bill-burr-regrets-advice-nits-cybersecurity
it is no good to require periodic password change anymore
it is good to use password manager
>
> The commit message states:
>> Note: echo commands are processed as and when they are received and in
>> the order received.
>
> With --pull-filter in place should that read *if* and when they are
>> received ?
>
>
> "If" is implied by "as and when" -- if not received there is nothing to
> process.
> Here "received" refers to "received by the GUI" as this is a patch for the
> GUI.
> That requires the pulled echo to pass through pull-filter and option
> parsing. Only
> after that it gets sent to the management interface by openvpn and be
> received by the GUI.
>
> Selva
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
