-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add --askpin option #130
base: master
Are you sure you want to change the base?
Add --askpin option #130
Conversation
Adding --askpin option modeled after --askpass, letting people enter pin early int he startup or more importantly allow them to keep a password in separate file to simplify unattended setup. Signed-off-by: Michal Hrusecky <Michal@Hrusecky.net>
token_pass.nocache = true; | ||
|
||
if (!strlen(token_pass.password)) | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pass
It wasn't clear that this was about PKCS#11. How about renaming the option to --pkcs11-askpin ? I think it'll be much more self explanatory. At the same time I'd extend the doc a little bit to mention what the pin is for. May be obvious for you or me looking at the code, but not for the casual reader. @miska if still interested, how about addressing these changes and sending the patch to the mailing list, please? |
Since it's a violation of security (to a varying degree, the file/config may be on an encrypted file system), it may be nice to go the full way of
and
A process who can read the PIN file must have access to the config (and vice versa) anyway. And it's still (kind of) more secure than |
Would really love to see this feature and I would volunteer to bring the development forward. @ordex @becm could you please summarize your preferred way of implementing this? For me a new option |
Maybe @dsommers could be more helpful here |
For me, it just felt like this should behave more like a config option that supports inline PIN data. Required presence of the token should still make this more secure than traditional The behavioral difference would also enhance the use of a new option ( I'm not in any position to advise on or green-light implementation though. 😉 |
Adding --askpin option modeled after --askpass, letting people enter pin early
int he startup or more importantly allow them to keep a password in separate
file to simplify unattended setup.
Signed-off-by: Michal Hrusecky Michal@Hrusecky.net
Thank you for your contribution
You are welcome to open PR, but they are used for discussion only. All
patches must eventually go to the openvpn-devel mailing list for review:
Please send your patch using git-send-email. For example to send your latest commit to the list:
For details, see these Wiki articles: