[MacPorts] #51528: openvpn2: passwordsave variant
MacPorts
noreply at macports.org
Mon May 30 20:54:09 PDT 2016
#51528: openvpn2: passwordsave variant
-------------------------+--------------------------------
Reporter: macports@… | Owner: macports-tickets@…
Type: enhancement | Status: new
Priority: Normal | Milestone:
Component: ports | Version: 2.3.4
Keywords: | Port: openvpn2
-------------------------+--------------------------------
Some OpenVPN servers (particular Sophos UTM and Mikrotik) are configured
to authenticate with a user/password combination either in addition to or
instead of the TLS certificate. By default openvpn2 requires the user to
enter this username/password on the console ''every time the VPN starts''.
For [https://openvpn.net/archive/openvpn-users/2004-10/msg00418.html about
10 years] openvpn2 has had an option to load these details from a file
instead of entering them on the console on each run ("auth-user-pass
FILENAME"). However [https://openvpn.net/index.php/open-
source/documentation/install.html?start=1 to use this feature openvpn2
must be built with "--enable-password-save"]. Without that configure time
option (eg, default MacPorts), trying to use this feature results in:
{{{
Tue May 31 15:41:05 2016 Sorry, 'Auth' password cannot be read from a file
}}}
The attached trivial patch adds a variant "+passwordsave" which enables
compiling with "--enable-password-save":
{{{
ewen at ashram:/usr/local/ports$ port variants openvpn2
openvpn2 has the variants:
passwordsave: Build with --enable-password-save
universal: Build for multiple architectures
ewen at ashram:/usr/local/ports$
}}}
After [https://guide.macports.org/chunked/development.local-
repositories.html configuring for local ports], the patched version of the
Portfile was tested with:
{{{
portindex -f
sudo port install -k openvpn2 +passwordsave
}}}
and then "auth-user-pass FILENAME" works. (To reduce the security risk
the referenced file with the username/password should be "chmod +400" or
similar, and ideally the password should ''only'' be used for the VPN
credentials (as it is stored in plain text); I'm not sure how strictly
OpenVPN checks the file permissions.)
Obviously this is not ideal for a shared system, and so it should not be
the default. But on a single-user workstation, interacting frequently
with VPN servers that rely on the client storing the VPN credentials, it
might be an acceptable tradeoff.
Please consider merging this patch to add the optional variant, so MacPort
users have the option of enabling this feature if it is appropriate for
their environment.
Ewen
--
Ticket URL: <https://trac.macports.org/ticket/51528>
MacPorts <https://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list