Browse code
management: Warn if TCP port is used without password
It is not recommended to use --management on a TCP port without also
adding a password authentication, as this can easily be abused by other
users or processes being able to connect to the managmement interface.
Thus issue a warning that this configuration is strongly discouraged.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180228131918.12954-3-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16574.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
David Sommerseth authored on 2018/02/28 22:19:18Showing 1 changed files
| ... | ... |
@@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec |
| 2170 | 2170 |
{
|
| 2171 | 2171 |
msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); |
| 2172 | 2172 |
} |
| 2173 |
+ |
|
| 2174 |
+ if (!(options->management_flags & MF_UNIX_SOCK) |
|
| 2175 |
+ && (!options->management_user_pass)) |
|
| 2176 |
+ {
|
|
| 2177 |
+ msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " |
|
| 2178 |
+ "passwords is STRONGLY discouraged and considered insecure"); |
|
| 2179 |
+ } |
|
| 2180 |
+ |
|
| 2173 | 2181 |
#endif |
| 2174 | 2182 |
|
| 2175 | 2183 |
/* |