Menu
▾
▴
Re: [Openvpn-devel] feature request: ability to pass pkcs#11 PIN via command line/config
|
From: Alon Bar-L. <alo...@gm...> - 2007-06-08 13:54:08
|
As you figured it out... This is not wise in term of security. So I am sorry, but I don't think this should be supported. Especially when you can achieve the same via the management interface. Best Regards, Alon Bar-Lev. On 6/8/07, Richard Hartmann <ric...@go...> wrote: > Hi all, > > > I am setting up a test case where the user is supposed to plug in his > USB token before booting. Once he boots up and prior to him logging in > to Windows, I need to establish an OpenVPN connection to our > aggregator. > > To do this, I am using a 'solution' where I abuse a netcat connection > to cat the PIN to the token into OpenVPN. My request would be to do > one or more of the following: > > > 1) Make OpenVPN aware that it could use the passphrase received via > --askpass not only as private key _passphrase_, but as private key > _PIN_. (One could argue that this is a bug) > > 2) Offer --askpin [file], same as --askpass > > 3) Offer not only pkcs11-pin-cache, but also pkcs11-pin-value or similar > > > I am fully aware that this is a potential security risk and thus I > would suggest using the same approach as with using --askpass via > file: Make it a compile time option. In 99% of the cases, you do _not_ > want the user to be able to do it this way. But when someone really > knows what he does, why he does and is aware of the implications, > there should be a way to make this work without pain. > > FYI, I am using 2.1 RC 4. If this issue has been addressed in head, > please let me know. Also, if this is the wrong place for this, please > tell me where to direct feature requests, I could not find any other > place. > > > Best regards, > Richard > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > |
