Feature #797
Build OpenVPN package with "--enable-password-save" configure option
| Status: | Closed | Start date: | 11/03/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | Aports | |||
| Target version: | Alpine 2.6.1 |
Description
OpenVPN supports reading a user/pass from a file (via auth-user-pass) if it is built with the --enable-password-save configure option. Currently it is not.
Associated revisions
main/openvpn: upgrade to 2.3.0
fixes #797
History
#1
Updated by Natanael Copa over 1 year ago
- Category set to Aports
Some bells are ringing. I wonder if this is on of the options that normally disabled for a good reason.
What are the drawbacks of enabling this?
#2
Updated by Joe Sixpack over 1 year ago
Natanael Copa wrote:
Some bells are ringing. I wonder if this is on of the options that normally disabled for a good reason.
What are the drawbacks of enabling this?
To my knowledge, the only reason this is off by default is that it gives you the option to save the username and password in a textfile in cleartext.
#3
Updated by Joe Sixpack over 1 year ago
Joe Sixpack wrote:
Natanael Copa wrote:
Some bells are ringing. I wonder if this is on of the options that normally disabled for a good reason.
What are the drawbacks of enabling this?
To my knowledge, the only reason this is off by default is that it gives you the option to save the username and password in a textfile in cleartext.
Just found this thread which pretty much says the same thing. The OpenVPN developers think that users should not do this, so they disable it.
#4
Updated by Nathan Angelacos over 1 year ago
(Disclaimer: I personally agree with the analogy in the openvpn.net thread above)
Alpine Linux has always been more "security-by-default" than "easy-to-use" by nature.
Would be interesting to know if there's any other major distro that /does/ enable --enable-password-save.
1 vote for making the acf-openssl CA easier to use. People should be using certificates with VPNs, not passwords. I think our time would be better spent making it easier for people to "do the right thing."
#5
Updated by Joe Sixpack over 1 year ago
Nathan Angelacos wrote:
(Disclaimer: I personally agree with the analogy in the openvpn.net thread above)
Alpine Linux has always been more "security-by-default" than "easy-to-use" by nature.
Would be interesting to know if there's any other major distro that /does/ enable --enable-password-save.1 vote for making the acf-openssl CA easier to use. People should be using certificates with VPNs, not passwords. I think our time would be better spent making it easier for people to "do the right thing."
I totally agree that user/pass authentication stinks, unfortunately I have to connect to a VPN that uses it. :/ I'm trying to keep the VPN up 24/7, which I can't do if the box reboots etc. It works now, but if something happens I have to SSH in and start the VPN manually. That's how the whole thing came about.
#6
Updated by Joe Sixpack over 1 year ago
Nathan Angelacos wrote:
(Disclaimer: I personally agree with the analogy in the openvpn.net thread above)
Alpine Linux has always been more "security-by-default" than "easy-to-use" by nature.
Would be interesting to know if there's any other major distro that /does/ enable --enable-password-save.1 vote for making the acf-openssl CA easier to use. People should be using certificates with VPNs, not passwords. I think our time would be better spent making it easier for people to "do the right thing."
Also, fwiw the VPN I have to connect to uses a client certificate as well as requiring username/password :-/
#7
Updated by Natanael Copa 3 months ago
Nathan Angelacos wrote:
Would be interesting to know if there's any other major distro that /does/ enable --enable-password-save.
Fedora does.
Joe Sixpack wrote:
Also, fwiw the VPN I have to connect to uses a client certificate as well as requiring username/password :-/
I think its good enough reason to enable it.
#8
Updated by Natanael Copa 3 months ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Applied in changeset 960ed25687f9c850403dd5450c82c0759a891778.
#9
Updated by Natanael Copa about 8 hours ago
- Status changed from Resolved to Closed
- Target version set to Alpine 2.6.1