Hi,
Thanks for summarising the status and proposals for echo commands.
Comments below are based on what I have implemented in the
OpenVPN Windows GUI (Windows GUI in the following) and some
changes I've been working on. I refer to the client openvpn process
as the daemon or client daemon and the UI as Windows GUI or GUI.
On Sat, Nov 25, 2017 at 10:24 AM, Jonathan K. Bullard <jkbull...@gmail.com>
wrote:
> Inspired by a thread [1] about sending a message from the server to
> the client's GUI (and then displaying it to the user), I would like to
> discuss standardizing the management interface's "echo" commands. It
> would be nice if the OpenVPN Windows GUI, Tunnelblick, and other GUIs
> implemented the commands in a compatible way.
>
> Although this may be of interest to the OpenVPN developers, I think it
> is mostly of interest to OpenVPN users. (There isn't a list for
> "OpenVPN administrators", which would be the best target.)
>
>
> CURRENT STATUS OF THE ECHO COMMANDS
>
> Tunnelblick (I'm the developer) does not do anything with "echo"
> commands; it doesn't ask the management interface for them.
>
> According to an email in the above-referenced thread from Selva Nair,
> the OpenVPN Windows GUI currently implements the following:
>
> - "echo forget-passwords": delete passwords internally saved by the GUI
> but do not disable the password save feature. Useful when pushed
> from the server so that it gets processed after authentication. Also
> see
> management-notes.txt in openvpn docs.
>
> - "echo save-passwords": enables private-key and auth-user-pass
> passwords
> to be saved. Will be effective at startup only if present in the
> config
> file. If pushed from the server, will get used for subsequent
> password prompts. Essentially this has the effect of presenting
> the password
> dialogs to the user with save-password checkbox selected. The
> user may still
> uncheck it during the dialog.
>
> And the following are being considered:
>
> - "echo disable-save-passwords": stops the user from being able to
> save passwords.
>
> - "echo setenv": sets an environment variable for use by scripts.
>
>
> QUESTIONS ABOUT THE OPENVPN WINDOWS GUI:
>
> 1. In the OpenVPN Windows GUI, do "forget-passwords",
> "save-passwords", and "disable-save-passwords" only affect
> auth-user-pass passwords, or do they also affect auth-user-pass
> usernames and private-key passwords?
>
Both auth-user-pass and private key passwords are affected by each
of those commands. Currently the Windows GUI unconditionally saves
the username but that can and may change. So let's say those commands
affect all passwords and possibly username.
Should we support a more fine-grained set of commands as well? Say:
echo save-auth-username
echo save-auth-password
echo save-private-key-password
etc., in addition to the blanket 'echo save-passwords' ? I do not think so.
>
> 2. Does OpenVPN Windows GUI send OpenVPN a "forget-passwords"
> command via the management interface when it receives an "echo
> forget-passwords" command? (Note: there are two different
>
No it does not.
> "forget-passwords" commands, each in a different direction: a
> "forget-passwords" command from the GUI to the OpenVPN client, and an
> "echo forget-passwords" command from the OpenVPN client to the GUI.)
>
The Windows GUI considers the password saving in openvpn client daemon
to be completely decoupled from that in the GUI itself. Just as
auth-nocache in
the config has no effect on the password saving feature of the GUI,
'echo forget-passwords' does not trigger a 'forget-passwords' directive from
the GUI to the client daemon.
The 'forget-passwords' command can still be sent from the GUI to the
client daemon based on some preferences setting of the GUI or explicit
user action. AFAIK, the Windows GUI does not have an option to do that.
> 3. How would the "setenv" command work? Would it be done by
> modifying OpenVPN itself to add a management interface command for the
> GUI to tell OpenVPN to set an environment variable for scripts,
> similar to the way the OpenVPN --setenv option works? OpenVPN itself
> seems to be designed to protect the client computer from the server as
> well as the other way around. (For example,"--pull-filter ignore".) An
> "echo setenv" command would break that protection if it modifies
> variables which have been set by "setenv" in the configuration file or
> --setenv in the command line.
>
What is proposed is 'echo "setenv x y"' to set env variables in the GUI
(actually in the scripts run by the GUI -- see below).
I view all echo directives as aimed at the GUI and thus do not require any
support from the daemon. I suppose you have a different usage in mind.
Note that it is already possible for the server to set env variables in the
client daemon by pushing 'setenv-opt'.
In other words, no change in openvpn daemon is needed as the effect is to
have
env variables set in script processes directly run by the GUI, not those run
by openvpn daemon. Thus, these variables are totally independent of those
set
in the daemon itself by 'setenv' and 'setenv-opt' directives, but some of
the safety
features used there could be borrowed (see below):
The GUI will receive the echo command as
ECHO,1101519562,setenv name value
which the GUI will use to define an env variable "mangled(x) = y" in a
connection specific env-set. I propose to mangle the name as OPENVPN_x
as done for setenv-opt in the daemon. In that sense, an admin could think
of 'echo setenv ...' as the same as 'setenv-opt ...' but the former being
directed
to the GUI, the latter to the client daemon.
Here is the commit message for this in my working branch for Windows GUI
(not yet in the official repo). Note that here 'process' means the GUI
process,
'script' means a script run by the GUI etc.
Support for 'setenv name var' using echo
- Support connection specific env variables. These are merged
with the process environment strings and passed to scripts.
- To set an env variable, use 'echo "setenv name var"' in the config
or push from the server. This will set "OPENVPN_name=var" in
the connections's env set. Note that "name" is mangled as
"OPENVPN_name" to avoid servers overwriting sensitive variables
such as PATH. Variables are set in the order received and duplicates
removed.
- Environment variable names are allowed to contain only alpha numeric
characters and underscore as in openvpn.exe. But, unlike openvpn.exe,
invalid names are ignored, not sanitized.
Note: when the env set is merged with process environment, the
connections env set is listed first, but any duplicates in the
process environment are not removed.
My current implementation for Windows is here:
https://github.com/selvanair/openvpn-gui/commit/ea9dc3d515537553443826f97ec21427f7f9a8e5
Use case: in a local setup I use this to pass the name of a file-server to
the "up-script" run by the GUI so that some drives could be mapped as
the user.
eg., server pushes:
echo "setenv smb_server acme-fs1.acme.local"
echo "setenv shares common projects docs"
and the up-script interprets them.
>
> 4. Does "echo save-passwords" override a (presumed) global setting
> that disables it?
>
Good question. I think the current implementation on Windows does
allow this directive to override the global setting, though this was not by
explicit intent. I've to double check this.
I would think that any global setting (if supported by the GUI)
should not be overridden by directives pushed from the sever. But
considering that this echo command could also be in the config and
its intent may be to enable save-passwords on a per config basis, some
may want to allow it.
That said, this is an implementation detail: on the Windows GUI, the
global setting to disable-save-passwords is a single registry value and
applies to all configs.
>
> 5. Will "echo disable-save-passwords" override a (presumed) global
> setting that enables it?
>
Windows GUI has no global setting to explicitly enable save-passwords --
i.e., it is enabled by default. The echo directive 'disable-save-passwords'
would disable it for the particular config independent of any global
settings.
COMMENTS ABOUT TUNNELBLICK:
>
> A. Tunnelblick can/will implement "echo disable-save-passwords"
> (in addition to Tunnelblick's existing mechanism for doing so). The
> user will not have a way to override this (even a user who is a
> computer administrator, but I want to think more about that and may
> change my mind). It would also forget saved passwords as if the "echo
> forget-passwords" had been received, because that is what the OpenVPN
> Windows GUI will do (according to Selva).
>
Yes, in my implementation, when disable-save-passwords is received, the
Windows GUI will forget any saved passwords and then disable the
feature. Looks like the sensible thing to do.
>
> B. Tunnelblick can/will implement "echo forget passwords" but I
> need clarification of exactly which "passwords" it affects (see
> question 1, above) and whether Tunnelblick should instruct OpenVPN to
> forget passwords, too. I'm leaning toward doing that because I don't
> think there is any other way for the server to tell the OpenVPN client
> to forget its passwords, so it could be useful.
>
Currently openvpn daemon will forget all passwords on receiving that
command from the GUI. This could affect correct operation of auth-token,
so be careful with this unless Tunnelblick handles auth-token by itself.
The Windows GUI does not save auth-token (not yet).
In other words, if you do this, a server that uses auth-token will have
difficulty in asking the GUI to forget passwords but not to erase
saved auth-token in the client daemon.
>
> C. Tunnelblick can/will implement "echo save-passwords" only for
> configurations that are not set up to to *disallow* it.
>
This makes sense. I would like to ensure the same in Windows
GUI too.
>
> D. Tunnelblick can/will implement "echo setenv" assuming the
> management interface is modified to implement a command to do it or
> there is some other acceptable way to do it securely.
>
See comments above.
>
> E. Tunnelblick's settings can affect all configurations or
> individual configurations, and each setting can be "protected" so that
> only a computer administrator can change it. That protection is set up
> when Tunnelblick or the configuration is installed.
>
Sounds good.
>
> [1] https://sourceforge.net/p/openvpn/mailman/openvpn-users/
> thread/20171120151612.nbipfbmui74pdadn%40charite.de/#msg36130244
Thanks,
Selva
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
