Expose EASYRSA_PASSIN and EASYRSA_PASSOUT env variables #368
Conversation
|
cc @luizluca |
|
The CI check failed with error |
|
Looks like Travis might be having a problem with their Mac build boxes. |
Until PR OpenVPN/easy-rsa#368 is merged.
|
The patch has many unrelated whitespace changes |
|
Dropped the whitespace changes from the patch. |
|
A malicious agent could set EASYRSA_PASSOUT and skip asking the admin for a password. If the admin inattentive does not notice that, a private key might be saved using the password defined by the malicious agent. Another attack would be to use EASYRSA_PASSOUT to destroy data overwriting a target file writable by easyrsa caller. Although, setting arbitrary env vars would be enough to potentially do much more harm than this case. Another non-intentional problem would be someone leaving EASYRSA_PASSIN/OUT defined by mistake (used in a previous easyrsa call). It could make the command fail without a clear warning or save a private key with a previously used password. Maybe we should add a warning if data came from an env var. Setting any random data to EASYRSA_PASSIN/OUT will only make command fail as its content is protected by double quotes and it always prefix it with '--passin/out' option. I don't think that this patch will make too much harm and it does add an alternative way to pass arguments. Besides the vars.example change I suggested, it should be accepted. |
|
That information is better documented in the EasyRSA-Advanced.md file. I do think a mention in the config file specifying it is NOT recommended to be set there would be best. Maybe even a check in easyrsa itself to refuse to use a config file that contains EASYRSA_PASSIN/OUT value? |
|
@ecrist up to you - let me know what would you like to see here and I can try to do it. I didn't find any examples in the script how to warn that variable is set in the config file and I'm not sure if it's worth the effort and complexity, but if you think it's important.. |
|
@pschiffe there's nothing in there now - a simple grep test for the config file would suffice. I can help if needed. |
and refuse to continue if they are present there, as they might containg passwords.
|
I've included a commit with grep check for the env vars in the config file. |
|
I'll merge this, looks good on the surface. Could use an update to unit tests in OpenVPN/easyrsa-unit-tests#26 |
|
I cannot find any usage examples or documentation on how to use this at all. |
|
You mean --passin/--passout arg? It is a standard openssl argument https://www.openssl.org/docs/manmaster/man1/openssl-passphrase-options.html |
By exposing these variables it's possible to configure the password from
various sources by specifing env vars. This is a followup to PR #242
Fixes #365