Out of curiosity I had a brief look at the openssl-vulnkey script and
found the following:
The openssl-vulnkey is implemented as a wrapper around the openssl binary in
order to check for weak keys.
One of the problems that occur when wrapping the openssl binary instead of
making use of the openssl libraries is passing the password to it in a secure
manner.
man openssl
"
Several commands accept password arguments, typically using -passin and
-passout for input and output passwords respectively. These allow the
password to be obtained from a variety of sources. Both of these
options take a single argument whose format is described below. If no
password argument is given and a password is required then the user is
prompted to enter one: this will typically be read from the current
terminal with echoing turned off.
pass:password
the actual password is password. Since the password is visi‐
ble to utilities (like ’ps’ under Unix) this form should only
be used where security is not important.
"
The openssl-vulnkey calls three functions (get_type, get_bits and get_modulus)
in order to get the information it needs in order to check for weak keys.
Each function needs to decrypt the key to get it's information. Hence the three
pass phrase questions.
Renaming the openvpn-vulnkey to openssl-vulnkey is just as bad as
replacing the openssl-vulnkey with /bin/true and should be avoided if
you have not checked your keys manually and made sure their all OK.
So until the script is modified/fixed we're stuck with either
- typing the password three times
- replacing the openssl-vulnkey binary
/Patrik
--
network-manager-openvpn is incapable of supplying openssl-vulnkey with the
X.509 key passphrase it requests
https://bugs.launchpad.net/bugs/230197
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
