[Openvpn-devel,3/3] management: Warn if TCP port is used without password

Message ID 20180228131918.12954-3-davids@openvpn.net
State Accepted
Headers show
Series
  • [Openvpn-devel,1/3] man: Add .TQ groff support macro
Related show

Commit Message

David Sommerseth Feb. 28, 2018, 1:19 p.m.
It is not recommended to use --management on a TCP port without also
adding a password authentication, as this can easily be abused by other
users or processes being able to connect to the managmement interface.

Thus issue a warning that this configuration is strongly discouraged.

Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 src/openvpn/options.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Comments

Arne Schwabe Feb. 28, 2018, 1:34 p.m. | #1
Am 28.02.18 um 14:19 schrieb David Sommerseth:
> It is not recommended to use --management on a TCP port without also
> adding a password authentication, as this can easily be abused by other
> users or processes being able to connect to the managmement interface.
> 
> Thus issue a warning that this configuration is strongly discouraged.
> 
> Signed-off-by: David Sommerseth <davids@openvpn.net>
> ---
>  src/openvpn/options.c | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 41a42cf2..e0c0894b 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
>      {
>          msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
>      }
> +
> +    if (!(options->management_flags & MF_UNIX_SOCK)
> +        && (!options->management_user_pass))
> +    {
> +        msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
> +            "passwords is STRONGLY discouraged and considered insecure");
> +    }
> +
>  #endif
>  
>      /*
> 

Does not break existing configs and warns about a real problem. Some
users of management might scream that, users now get a warning none was
before but honestely I don't care.

@All does our own Windows UI use management and if yes does it set a
random user/pw to connect to it?


Acked-By: Arne Schwabe <arne@rfc2549.org>

Arne

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Selva Nair Feb. 28, 2018, 3:35 p.m. | #2
Hi,

On Wed, Feb 28, 2018 at 8:34 AM, Arne Schwabe <arne@rfc2549.org> wrote:
> Am 28.02.18 um 14:19 schrieb David Sommerseth:
>> It is not recommended to use --management on a TCP port without also
>> adding a password authentication, as this can easily be abused by other
>> users or processes being able to connect to the managmement interface.
>>
>> Thus issue a warning that this configuration is strongly discouraged.
>>
>> Signed-off-by: David Sommerseth <davids@openvpn.net>
>> ---
>>  src/openvpn/options.c | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
>> index 41a42cf2..e0c0894b 100644
>> --- a/src/openvpn/options.c
>> +++ b/src/openvpn/options.c
>> @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
>>      {
>>          msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
>>      }
>> +
>> +    if (!(options->management_flags & MF_UNIX_SOCK)
>> +        && (!options->management_user_pass))
>> +    {
>> +        msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
>> +            "passwords is STRONGLY discouraged and considered insecure");
>> +    }
>> +
>>  #endif
>>
>>      /*
>>
>
> Does not break existing configs and warns about a real problem. Some
> users of management might scream that, users now get a warning none was
> before but honestely I don't care.
>
> @All does our own Windows UI use management and if yes does it set a
> random user/pw to connect to it?

Yes and yes.

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Gert Doering March 1, 2018, 8:31 a.m. | #3
Your patch has been applied to the master and release/2.4 branch.

commit 4db7715a3aa62f2e8d8234c1852fb141f62318e2 (master)
commit ab218befec67dc0f5bb08973d2ec3476350f9ab3 (release/2.4)
Author: David Sommerseth
Date:   Wed Feb 28 14:19:18 2018 +0100

     management: Warn if TCP port is used without password

     Signed-off-by: David Sommerseth <davids@openvpn.net>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20180228131918.12954-3-davids@openvpn.net>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16574.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Patch

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 41a42cf2..e0c0894b 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2170,6 +2170,14 @@  options_postprocess_verify_ce(const struct options *options, const struct connec
     {
         msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
     }
+
+    if (!(options->management_flags & MF_UNIX_SOCK)
+        && (!options->management_user_pass))
+    {
+        msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
+            "passwords is STRONGLY discouraged and considered insecure");
+    }
+
 #endif
 
     /*