From: David Sommerseth <davids@openvpn.net>
Date: Wed, 28 Feb 2018 13:19:18 +0000 (+0100)
Subject: management: Warn if TCP port is used without password
X-Git-Tag: v2.4.6~10
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ab218befec67dc0f5bb08973d2ec3476350f9ab3;p=thirdparty%2Fopenvpn.git

management: Warn if TCP port is used without password

It is not recommended to use --management on a TCP port without also
adding a password authentication, as this can easily be abused by other
users or processes being able to connect to the managmement interface.

Thus issue a warning that this configuration is strongly discouraged.

Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20180228131918.12954-3-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16574.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 4db7715a3aa62f2e8d8234c1852fb141f62318e2)
---

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 3f9164c78..a0076309c 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2189,6 +2189,14 @@ options_postprocess_verify_ce(const struct options *options, const struct connec
     {
         msg(M_USAGE, "--management-client-(user|group) can only be used on unix domain sockets");
     }
+
+    if (!(options->management_flags & MF_UNIX_SOCK)
+        && (!options->management_user_pass))
+    {
+        msg(M_WARN, "WARNING: Using --management on a TCP port WITHOUT "
+            "passwords is STRONGLY discouraged and considered insecure");
+    }
+
 #endif
 
     /*