Re: [Openvpn-devel] [PATCH 3/3] management: Warn if TCP port is used without password

[Selva N. <sel...@gm...>]

Hi,

On Wed, Feb 28, 2018 at 8:34 AM, Arne Schwabe <ar...@rf...> wrote:
> Am 28.02.18 um 14:19 schrieb David Sommerseth:
>> It is not recommended to use --management on a TCP port without also
>> adding a password authentication, as this can easily be abused by other
>> users or processes being able to connect to the managmement interface.
>>
>> Thus issue a warning that this configuration is strongly discouraged.
>>
>> Signed-off-by: David Sommerseth <da...@op...>
>> ---
>>  src/openvpn/options.c | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
>> index 41a42cf2..e0c0894b 100644
>> --- a/src/openvpn/options.c
>> +++ b/src/openvpn/options.c
>> @@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
>>      {
>>          msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
>>      }
>> +
>> +    if (!(options->management_flags & MF_UNIX_SOCK)
>> +        && (!options->management_user_pass))
>> +    {
>> +        msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
>> +            "passwords is STRONGLY discouraged and considered insecure");
>> +    }
>> +
>>  #endif
>>
>>      /*
>>
>
> Does not break existing configs and warns about a real problem. Some
> users of management might scream that, users now get a warning none was
> before but honestely I don't care.
>
> @All does our own Windows UI use management and if yes does it set a
> random user/pw to connect to it?

Yes and yes.

Selva