[MacPorts] #51528: openvpn2: passwordsave variant

MacPorts noreply at macports.org
Mon May 30 20:54:09 PDT 2016 

#51528: openvpn2: passwordsave variant
-------------------------+--------------------------------
 Reporter:  macports@…   |      Owner:  macports-tickets@…
     Type:  enhancement  |     Status:  new
 Priority:  Normal       |  Milestone:
Component:  ports        |    Version:  2.3.4
 Keywords:               |       Port:  openvpn2
-------------------------+--------------------------------
 Some OpenVPN servers (particular Sophos UTM and Mikrotik) are configured
 to authenticate with a user/password combination either in addition to or
 instead of the TLS certificate.  By default openvpn2 requires the user to
 enter this username/password on the console ''every time the VPN starts''.

 For [https://openvpn.net/archive/openvpn-users/2004-10/msg00418.html about
 10 years] openvpn2 has had an option to load these details from a file
 instead of entering them on the console on each run ("auth-user-pass
 FILENAME").  However [https://openvpn.net/index.php/open-
 source/documentation/install.html?start=1 to use this feature openvpn2
 must be built with "--enable-password-save"].  Without that configure time
 option (eg, default MacPorts), trying to use this feature results in:
 {{{
 Tue May 31 15:41:05 2016 Sorry, 'Auth' password cannot be read from a file
 }}}

 The attached trivial patch adds a variant "+passwordsave" which enables
 compiling with "--enable-password-save":

 {{{
 ewen at ashram:/usr/local/ports$ port variants openvpn2
 openvpn2 has the variants:
    passwordsave: Build with --enable-password-save
    universal: Build for multiple architectures
 ewen at ashram:/usr/local/ports$
 }}}

 After [https://guide.macports.org/chunked/development.local-
 repositories.html configuring for local ports], the patched version of the
 Portfile was tested with:

 {{{
 portindex -f
 sudo port install -k openvpn2 +passwordsave
 }}}

 and then "auth-user-pass FILENAME" works.  (To reduce the security risk
 the referenced file with the username/password should be "chmod +400" or
 similar, and ideally the password should ''only'' be used for the VPN
 credentials (as it is stored in plain text); I'm not sure how strictly
 OpenVPN checks the file permissions.)

 Obviously this is not ideal for a shared system, and so it should not be
 the default.  But on a single-user workstation, interacting frequently
 with VPN servers that rely on the client storing the VPN credentials, it
 might be an acceptable tradeoff.

 Please consider merging this patch to add the optional variant, so MacPort
 users have the option of enabling this feature if it is appropriate for
 their environment.

 Ewen

-- 
Ticket URL: <https://trac.macports.org/ticket/51528>
MacPorts <https://www.macports.org/>
Ports system for OS X

More information about the macports-tickets mailing list