How to prevent warnings --script-security and cache password

[libove]

Hello,
I'm running openvpn 2.2.0 as a client on a CentOS 5.6 x86_64 Linux host, and every time it connects to its server, the client system's local log file gets these three warnings:

NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page)
WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

I understand and accept the risks of both the --script-security setting and the caching of passwords in memory, and I understand and am succesfully using and benefitting from --tls-remote, and require this configuration to be as it is.

How can I tell openvpn to not issue these warnings, as they just clutter up the nightly logwatch output?

Thanks,
Jay

[maikcat]

hi there,

you can also disable logging completely using verb 0 ....

also you can make openvpn to log info on seperate file...

Michael.

[libove]

Hi Michael,
Thanks for the suggestions.
I prefer to not turn off all logging, as there may be other really non-routine things which we do need to see when they happen (as compared to the rather routine "you're using a potentially insecure solution" which we should be able to acknowledge once and not see again).
Similarly, if we redirect all openvpn logs elsewhere, then we won't see the really non-routine things which we should.

So, is there no way to tell openvpn that:
a. we know about the remote-tls option, don't scold us;
b. we know about password caching in memory, don't remind us; and
c. we chose that script security model, so don't bother us

.. while leaving all else as-is?

Cheers,
-Jay


[quote="maikcat"]hi there,
you can also disable logging completely using verb 0 ....
also you can make openvpn to log info on seperate file...
Michael.[/quote]

[Mimiko]

I'm having the same problem with warning about --script-security 2. I think of using in config the directuve

mute n

where n is the maximum consequtive same messages to be logged. And set it to 1 or 2. Also, it'll be better to log to a file:

Code: Select all

verb 2
log-append  openvpn.log

[libove]

(Can I turn this in to a poll question?)

Okay, so, who thinks this should become a feature request, to give us additional configuration options as follows:

--remote-tls-yes-I-know-how-to-use-it

--script-security level [thank-you-I-choose-to-take-the-risk]

--auth-users-pass [I-need-to-memory-cache-the-credentials]

(of course, the exact option names could be changed, but I hope the idea is clear enough!)

Thanks,
Jay

[Mimiko]

How about new users that does not know about risks?

In a production you can change

Code: Select all

verb n

and use n=0-2. When everything is working file, a just set it to 0. But, ouch. With verb 0 I still get

NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables

[libove]

How about new users that does not know about risks?

That is why I propose to make these *options* which knowledgeable users can set once they're satisfied that they need the configuration in a particular way.
-Jay