openvpn icon indicating copy to clipboard operation
openvpn copied to clipboard

Published 20 hours ago verified publisher icon OpenVPN

Add --askpin option

Open miska opened this issue 5 years ago • 6 comments

Adding --askpin option modeled after --askpass, letting people enter pin early int he startup or more importantly allow them to keep a password in separate file to simplify unattended setup.

Signed-off-by: Michal Hrusecky [email protected]

Thank you for your contribution

You are welcome to open PR, but they are used for discussion only. All patches must eventually go to the openvpn-devel mailing list for review:

  • https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Please send your patch using git-send-email. For example to send your latest commit to the list:

$ git send-email [email protected] HEAD~1

For details, see these Wiki articles:

  • https://community.openvpn.net/openvpn/wiki/DeveloperDocumentation
  • https://community.openvpn.net/openvpn/wiki/Contributing

miska avatar Sep 18 '19 06:09 miska

It wasn't clear that this was about PKCS#11. How about renaming the option to --pkcs11-askpin ? I think it'll be much more self explanatory. At the same time I'd extend the doc a little bit to mention what the pin is for. May be obvious for you or me looking at the code, but not for the casual reader.

@miska if still interested, how about addressing these changes and sending the patch to the mailing list, please?

ordex avatar Sep 17 '22 19:09 ordex

@miska @finda841 any motivation in bringing this forward? Thanks!

ordex avatar Oct 04 '22 08:10 ordex

Since it's a violation of security (to a varying degree, the file/config may be on an encrypted file system), it may be nice to go the full way of

pkcs11-pin mypin.txt

and

<pkcs11-pin>
123456
</pkcs11-pin>

A process who can read the PIN file must have access to the config (and vice versa) anyway.

And it's still (kind of) more secure than askpass. ☺

becm avatar Dec 12 '22 21:12 becm

Would really love to see this feature and I would volunteer to bring the development forward. @ordex @becm could you please summarize your preferred way of implementing this? For me a new option --pkcs11-askpin would totally make sense, since there is already a --askpass option which does more or less the same to handle certificate passwords (instead of PKCS11 pins). Looking forward to your feedback!

R0Wi avatar Jul 31 '23 09:07 R0Wi

Maybe @dsommers could be more helpful here

ordex avatar Jul 31 '23 09:07 ordex

For me, it just felt like this should behave more like a config option that supports inline PIN data. The triplet (pkcs11-provider, pkcs11-id, pkcs11-pin) is then contained without external dependencies.

Required presence of the token should still make this more secure than traditional askpass use.

The behavioral difference would also enhance the use of a new option (pkcs11-pin) instead of just re-purposing the askpass content as PIN in PKCS11 mode.

I'm not in any position to advise on or green-light implementation though. :wink:

becm avatar Aug 06 '23 15:08 becm