'Re: [Openvpn-devel] [PATCH] Document some limitations of --auth-user-pass'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvpn-devel
Subject:    Re: [Openvpn-devel] [PATCH] Document some limitations of --auth-user-pass
From:       Selva Nair <selva.nair () gmail ! com>
Date:       2020-03-29 20:43:58
Message-ID: CAKuzo_gLrEhfiA_cETadphR3Geg+8YZtPTkw_Op6AL3OWbOrzA () mail ! gmail ! com
[Download RAW message or body]

Hi,

On Tue, Mar 17, 2020 at 6:25 AM Gert Doering <gert@greenie.muc.de> wrote:
>
> Hi,
>
> On Tue, Mar 17, 2020 at 11:06:53AM +0100, David Sommerseth wrote:
> > On 16/03/2020 14:48, Selva Nair wrote:
> > [...snip...]
> > >> I would just rephrase it to say:
> > >>
> > >>   OpenVPN GUI v11 and newer uses its own internal username/password storage
> > >>   independent of the --auth-user-pass file provided.  The file argument is
> > >>   ignored on such installations.
> > >
> > > I wish it behaved  like that. Unfortunately the file argument is not
> > > ignored in such cases. If the file has only username, openvpn.exe
> > > reads it from the file and then fails to prompt for password as there
> > > is no console available.
> >
> > Ouch ... that is a pointless misbehavior.  Lets try to fix that.
>
> Have you recovered from your latest adventures in "password query code
> in OpenVPN" already? :-)
>
> Not sure if the management commands permit the "we have a username but
> no password" flow today... Arne, Selva?
>
> But yes, this needs to be either a clear error, or "work correctly"
>
> > > I propose to change this behaviour to: if --management-query-passwords
> > > is set (which the GUI does), ignore the file given in auth-user-pass
> > > and prompt both username and password from management. I think its
> > > only logical for a later option (in this case the one set by the GUI)
> > > to override a previous one. Anyway we do already ignore it if the file
> > > is "stdin".
> >
> > Agreed!
>
> No, as this will break working configs *if* both username + password
> are in the file (did we ever merge the "inline auth-user-pass" patch?).

See the patch in mail for what looks like an acceptable solution to me.


Selva


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic