No cache option?
3,751 views
Skip to first unread message
colleen harrington
Apr 29, 2010, 7:19:52 PM4/29/10
to tunnelbli...@googlegroups.com
My log shows warning 'This configuration may cache password in memory'.
I have the shadow config. option checked
openvpn was removed from library and tunnelblick was dropped onto hard drive on desktop
TB icon sits near spotlight. There are two of them there now. I shut down computer last night.
Please advise as able.
Thanks!
--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To post to this group, send email to tunnelbli...@googlegroups.com.
To unsubscribe from this group, send email to tunnelblick-dis...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/tunnelblick-discuss?hl=en.
I have the shadow config. option checked
openvpn was removed from library and tunnelblick was dropped onto hard drive on desktop
TB icon sits near spotlight. There are two of them there now. I shut down computer last night.
Please advise as able.
Thanks!
--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To post to this group, send email to tunnelbli...@googlegroups.com.
To unsubscribe from this group, send email to tunnelblick-dis...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/tunnelblick-discuss?hl=en.
jkbull...gmail.com
Apr 29, 2010, 8:47:07 PM4/29/10
to tunnelblick-discuss
For most people it isn't a problem they care about. OpenVPN keeps a
copy of your username/password or private key in memory so it can use
them if it needs to reconnect (because of a bad connection or other
reason); that is what this is talking about.
You can get rid of it by putting the following line anywhere in your
configuration file (click the Tunnelblick icon, then click "Details",
then click the "Edit configuration" button and follow the directions).
auth-nocache
If you do that and the connection is lost for any reason, OpenVPN/
Tunnelblick will ask you for your username/password when it tries to
reconnect.
Of course, you can save them in your Keychain (there's a checkbox for
that in the window that asks for your username/password or private
key). Then you won't be asked, but they are "cached" in the keychain.
copy of your username/password or private key in memory so it can use
them if it needs to reconnect (because of a bad connection or other
reason); that is what this is talking about.
You can get rid of it by putting the following line anywhere in your
configuration file (click the Tunnelblick icon, then click "Details",
then click the "Edit configuration" button and follow the directions).
auth-nocache
If you do that and the connection is lost for any reason, OpenVPN/
Tunnelblick will ask you for your username/password when it tries to
reconnect.
Of course, you can save them in your Keychain (there's a checkbox for
that in the window that asks for your username/password or private
key). Then you won't be asked, but they are "cached" in the keychain.
colleen harrington
Apr 30, 2010, 12:06:34 AM4/30/10
to tunnelbli...@googlegroups.com
###
## AlwaysVPN Mac TCP client configuration version 2.0
####
client
dev tap
proto tcp-client
remote vpngrp1.alwaysvpn.net 443
remote vpngrp1.alwaysvpn.net 80
remote vpngrp2.alwaysvpn.net 443
remote vpngrp2.alwaysvpn.net 80
redirect-gateway def1
resolv-retry infinite
nobind
persist-key
persist-tun
ca alwaysvpn2_ca.crt
tls-auth alwaysvpn-ta.key 1
auth-user-pass
ns-cert-type server
tls-remote alwaysvpn_s
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA
cipher BF-CBC
comp-lzo
verb 3
# shaper 50000
you can see here it says auth-user-pass....
same follow-up?
C.
## AlwaysVPN Mac TCP client configuration version 2.0
####
client
dev tap
proto tcp-client
remote vpngrp1.alwaysvpn.net 443
remote vpngrp1.alwaysvpn.net 80
remote vpngrp2.alwaysvpn.net 443
remote vpngrp2.alwaysvpn.net 80
redirect-gateway def1
resolv-retry infinite
nobind
persist-key
persist-tun
ca alwaysvpn2_ca.crt
tls-auth alwaysvpn-ta.key 1
auth-user-pass
ns-cert-type server
tls-remote alwaysvpn_s
tls-cipher DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA
cipher BF-CBC
comp-lzo
verb 3
# shaper 50000
you can see here it says auth-user-pass....
same follow-up?
C.
jkbull...gmail.com
Apr 30, 2010, 4:26:32 AM4/30/10
to tunnelblick-discuss
I don't understand your question.
"auth-user-pass" is not the same as "auth-nocache".
"auth-user-pass" says that you will be asked for a username/password.
"auth-nocache" tells OpenVPN not to save (cache) the username/password
in memory. Currently (since you _don't_ have "auth-nocache"), OpenVPN
saves the username/password in memory (thus the warning message you
wrote about originally). That means that, if the connection is lost
and OpenVPN needs to reconnect (which it usually does automatically),
OpenVPN won't have to ask you -- it will retrieve them from memory and
send them to the server automatically, without bothering you.
If you add "auth-nocache" to the configuration file, OpenVPN will
_not_ save the username/password in memory. So if the connection is
lost and OpenVPN needs to reconnect (which it usually does
automatically), OpenVPN will not have the username/password, so it
will ask Tunnelblick. If you have saved the username/password in your
Keychain then Tunnelblick will automatically send the username/
password to OpenVPN, which will send them to the server, all without
asking you. If you didn't save the username/password in your Keychain,
Tunnelblick will ask you for them.
"auth-user-pass" is not the same as "auth-nocache".
"auth-user-pass" says that you will be asked for a username/password.
"auth-nocache" tells OpenVPN not to save (cache) the username/password
in memory. Currently (since you _don't_ have "auth-nocache"), OpenVPN
saves the username/password in memory (thus the warning message you
wrote about originally). That means that, if the connection is lost
and OpenVPN needs to reconnect (which it usually does automatically),
OpenVPN won't have to ask you -- it will retrieve them from memory and
send them to the server automatically, without bothering you.
If you add "auth-nocache" to the configuration file, OpenVPN will
_not_ save the username/password in memory. So if the connection is
lost and OpenVPN needs to reconnect (which it usually does
automatically), OpenVPN will not have the username/password, so it
will ask Tunnelblick. If you have saved the username/password in your
Keychain then Tunnelblick will automatically send the username/
password to OpenVPN, which will send them to the server, all without
asking you. If you didn't save the username/password in your Keychain,
Tunnelblick will ask you for them.
wcoolnet
Apr 30, 2010, 9:38:04 AM4/30/10
to tunnelblick-discuss
Keep in mind that you usually do not want to enable the auth-nocache
option with username / password authentication methods as you will
need to re-enter your credentials every time your DH key is
renegotiated. Which might mean every hour.
option with username / password authentication methods as you will
need to re-enter your credentials every time your DH key is
renegotiated. Which might mean every hour.
matthe...@gmail.com
Oct 17, 2013, 8:39:44 PM10/17/13
to tunnelbli...@googlegroups.com
I hate to dredge up an old thread, but since this is at the top of the Google search results, I wanted to make sure it was visible. Keep in mind that since many (most?) VPN users are on mobile devices, if you're using a laptop that hibernates then your memory-cached passwords are then being written to disk. This is significantly more of a concern than just having them cached in memory, though for the average user, they since may not care about the inconvenience of the reauthentication vs the likelihood someone will comb their memory dump for passwords. However, I do have a couple of questions:
Is it the full password cached or just a hash? Could malicious/buggy software access this while still in memory?
Is it immediately cleared from memory by being explicitly overwritten as soon as the connection is disconnected? If not, is it when the client application is closed? If so, a valid compromise for my hibernation concern could be as simple as making sure you disconnect from the VPN before allowing hibernation. If not, that should probably be development request.
Thanks for the additional info,
Matt
On Friday, April 30, 2010 9:38:04 AM UTC-4, wcoolnet wrote:
Keep in mind that you usually do not want to enable the auth-nocache
option with username / password authentication methods as you will
need to re-enter your credentials every time your DH key is
renegotiated. Which might mean every hour.
--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To post to this group, send email to tunnelbli...@googlegroups.com.
To unsubscribe from this group, send email to tunnelblick-discuss+unsub...@googlegroups.com.
jkbull...gmail.com
Oct 17, 2013, 9:10:09 PM10/17/13
to tunnelbli...@googlegroups.com, matthe...@gmail.com
Tunnelblick does not cache passwords. You can tell Tunnelblick to save usernames/passwords in the OS X Keychain and automatically retrieve them from the Keychain, but that is not the same as caching them.
Caching is done by OpenVPN when the OpenVPN "auth-nocache" option is not specified. You need to ask an OpenVPN expert. Try
andr...@gmail.com
Feb 20, 2017, 6:36:13 AM2/20/17
to tunnelblick-discuss
There is not "edit configuration" option in Tunnelblick 3.7.0
On Thursday, April 29, 2010 at 8:47:07 PM UTC-4, Tunnelblick developer wrote:
For most people it isn't a problem they care about. OpenVPN keeps a
copy of your username/password or private key in memory so it can use
them if it needs to reconnect (because of a bad connection or other
reason); that is what this is talking about.
You can get rid of it by putting the following line anywhere in your
configuration file (click the Tunnelblick icon, then click "Details",
then click the "Edit configuration" button and follow the directions).
auth-nocache
If you do that and the connection is lost for any reason, OpenVPN/
Tunnelblick will ask you for your username/password when it tries to
reconnect.
Of course, you can save them in your Keychain (there's a checkbox for
that in the window that asks for your username/password or private
key). Then you won't be asked, but they are "cached" in the keychain.
--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To post to this group, send email to tunnelbli...@googlegroups.com.
To unsubscribe from this group, send email to tunnelblick-discuss+unsub...@googlegroups.com.
Tunnelblick developer
Feb 20, 2017, 6:52:55 AM2/20/17
to tunnelblick-discuss, andr...@gmail.com
Things have changed in the seven years since I wrote the post you are replying to!
You can edit a "private" configuration, and you can examine (without making changes) a "shared" configuration. You can also switch a configuration from one to the other.
Select the configuration in the list on the left side of the "Configurations" panel of Tunnelblick's "VPN Details" window. Then click on the little "gear" icon below the list, and click
- "Edit OpenVPN Configuration File…",
- "Examine OpenVPN Configuration File…",
- "Make Configuration Private…", or
- "Make Configuration Shared…".
(There are a few other options, too.)
The little "gear" icon a the standard macOS way of doing such things. For examples, see the "Network" and "Users & Groups" System Preferences.
Reply all
Reply to author
Forward
0 new messages