Feature #797
Build OpenVPN package with "--enable-password-save" configure option
| Status: | New | Start date: | 11/03/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | Aports | |||
| Target version: | - |
Description
OpenVPN supports reading a user/pass from a file (via auth-user-pass) if it is built with the --enable-password-save configure option. Currently it is not.
History
Updated by Natanael Copa 7 months ago
- Category set to Aports
Some bells are ringing. I wonder if this is on of the options that normally disabled for a good reason.
What are the drawbacks of enabling this?
Updated by Joe Sixpack 7 months ago
Natanael Copa wrote:
Some bells are ringing. I wonder if this is on of the options that normally disabled for a good reason.
What are the drawbacks of enabling this?
To my knowledge, the only reason this is off by default is that it gives you the option to save the username and password in a textfile in cleartext.
Updated by Joe Sixpack 7 months ago
Joe Sixpack wrote:
Natanael Copa wrote:
Some bells are ringing. I wonder if this is on of the options that normally disabled for a good reason.
What are the drawbacks of enabling this?
To my knowledge, the only reason this is off by default is that it gives you the option to save the username and password in a textfile in cleartext.
Just found this thread which pretty much says the same thing. The OpenVPN developers think that users should not do this, so they disable it.
Updated by Nathan Angelacos 7 months ago
(Disclaimer: I personally agree with the analogy in the openvpn.net thread above)
Alpine Linux has always been more "security-by-default" than "easy-to-use" by nature.
Would be interesting to know if there's any other major distro that /does/ enable --enable-password-save.
1 vote for making the acf-openssl CA easier to use. People should be using certificates with VPNs, not passwords. I think our time would be better spent making it easier for people to "do the right thing."
Updated by Joe Sixpack 7 months ago
Nathan Angelacos wrote:
(Disclaimer: I personally agree with the analogy in the openvpn.net thread above)
Alpine Linux has always been more "security-by-default" than "easy-to-use" by nature.
Would be interesting to know if there's any other major distro that /does/ enable --enable-password-save.1 vote for making the acf-openssl CA easier to use. People should be using certificates with VPNs, not passwords. I think our time would be better spent making it easier for people to "do the right thing."
I totally agree that user/pass authentication stinks, unfortunately I have to connect to a VPN that uses it. :/ I'm trying to keep the VPN up 24/7, which I can't do if the box reboots etc. It works now, but if something happens I have to SSH in and start the VPN manually. That's how the whole thing came about.
Updated by Joe Sixpack 7 months ago
Nathan Angelacos wrote:
(Disclaimer: I personally agree with the analogy in the openvpn.net thread above)
Alpine Linux has always been more "security-by-default" than "easy-to-use" by nature.
Would be interesting to know if there's any other major distro that /does/ enable --enable-password-save.1 vote for making the acf-openssl CA easier to use. People should be using certificates with VPNs, not passwords. I think our time would be better spent making it easier for people to "do the right thing."
Also, fwiw the VPN I have to connect to uses a client certificate as well as requiring username/password :-/