Message ID | 20180228131918.12954-3-davids@openvpn.net |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,1/3] man: Add .TQ groff support macro | expand |
Am 28.02.18 um 14:19 schrieb David Sommerseth: > It is not recommended to use --management on a TCP port without also > adding a password authentication, as this can easily be abused by other > users or processes being able to connect to the managmement interface. > > Thus issue a warning that this configuration is strongly discouraged. > > Signed-off-by: David Sommerseth <davids@openvpn.net> > --- > src/openvpn/options.c | 8 ++++++++ > 1 file changed, 8 insertions(+) > > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 41a42cf2..e0c0894b 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec > { > msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); > } > + > + if (!(options->management_flags & MF_UNIX_SOCK) > + && (!options->management_user_pass)) > + { > + msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " > + "passwords is STRONGLY discouraged and considered insecure"); > + } > + > #endif > > /* > Does not break existing configs and warns about a real problem. Some users of management might scream that, users now get a warning none was before but honestely I don't care. @All does our own Windows UI use management and if yes does it set a random user/pw to connect to it? Acked-By: Arne Schwabe <arne@rfc2549.org> Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Hi, On Wed, Feb 28, 2018 at 8:34 AM, Arne Schwabe <arne@rfc2549.org> wrote: > Am 28.02.18 um 14:19 schrieb David Sommerseth: >> It is not recommended to use --management on a TCP port without also >> adding a password authentication, as this can easily be abused by other >> users or processes being able to connect to the managmement interface. >> >> Thus issue a warning that this configuration is strongly discouraged. >> >> Signed-off-by: David Sommerseth <davids@openvpn.net> >> --- >> src/openvpn/options.c | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/src/openvpn/options.c b/src/openvpn/options.c >> index 41a42cf2..e0c0894b 100644 >> --- a/src/openvpn/options.c >> +++ b/src/openvpn/options.c >> @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec >> { >> msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); >> } >> + >> + if (!(options->management_flags & MF_UNIX_SOCK) >> + && (!options->management_user_pass)) >> + { >> + msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " >> + "passwords is STRONGLY discouraged and considered insecure"); >> + } >> + >> #endif >> >> /* >> > > Does not break existing configs and warns about a real problem. Some > users of management might scream that, users now get a warning none was > before but honestely I don't care. > > @All does our own Windows UI use management and if yes does it set a > random user/pw to connect to it? Yes and yes. Selva ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Your patch has been applied to the master and release/2.4 branch. commit 4db7715a3aa62f2e8d8234c1852fb141f62318e2 (master) commit ab218befec67dc0f5bb08973d2ec3476350f9ab3 (release/2.4) Author: David Sommerseth Date: Wed Feb 28 14:19:18 2018 +0100 management: Warn if TCP port is used without password Signed-off-by: David Sommerseth <davids@openvpn.net> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20180228131918.12954-3-davids@openvpn.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16574.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 41a42cf2..e0c0894b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); } + + if (!(options->management_flags & MF_UNIX_SOCK) + && (!options->management_user_pass)) + { + msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " + "passwords is STRONGLY discouraged and considered insecure"); + } + #endif /*
It is not recommended to use --management on a TCP port without also adding a password authentication, as this can easily be abused by other users or processes being able to connect to the managmement interface. Thus issue a warning that this configuration is strongly discouraged. Signed-off-by: David Sommerseth <davids@openvpn.net> --- src/openvpn/options.c | 8 ++++++++ 1 file changed, 8 insertions(+)