It is not recommended to use --management on a TCP port without also
adding a password authentication, as this can easily be abused by other
users or processes being able to connect to the managmement interface.
Thus issue a warning that this configuration is strongly discouraged.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180228131918.12954-3-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16574.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -2170,6 +2170,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec |
2170 | 2170 |
{ |
2171 | 2171 |
msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets"); |
2172 | 2172 |
} |
2173 |
+ |
|
2174 |
+ if (!(options->management_flags & MF_UNIX_SOCK) |
|
2175 |
+ && (!options->management_user_pass)) |
|
2176 |
+ { |
|
2177 |
+ msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT " |
|
2178 |
+ "passwords is STRONGLY discouraged and considered insecure"); |
|
2179 |
+ } |
|
2180 |
+ |
|
2173 | 2181 |
#endif |
2174 | 2182 |
|
2175 | 2183 |
/* |