Comments (2)
kyl191
commented on May 27, 2024
Problem is statefulness - I left the keys on disk so they don't get continually generated on every run, and updating the config file wouldn't force a full key regeneration cycle.
If you're running in a "one shot", adding and removing the client from the run list, yeah, this makes sense.
Gate this behind something that acknowledges the one shot of config generation, and this is fine, but for the general Ansible use of "enforce state", this kind of breaks the assumptions.
from ansible-role-openvpn.
kyl191
commented on May 27, 2024
Closing this as stale.
I don't understand the exact use case that clearing keys would solve. I see the concern - unencrypted keys left on disk when the server process doesn't need them isn't good security.
As I understand it, the primary case clearing the tokens protects against is a malicious sysadmin who could plausibly grab a copy of the client config and connect with those tokens.
But said malicious sysadmin would have access at generation time anyway.
In the event of a server compromise, the server certs would have to be regenerated and the config redistributed to clients anyway - and this role allows for the simultaneous recreation of server and client certs, so there's negligible additional overhead from regenerating client certs.
Deleting the keys after generation breaks the role's expectations of idempotent config regeneration, and I don't see why that needs to change.
You could use a post_tasks stanza in your playbook to clean up the files that you don't want if you don't want to maintain a fork.
from ansible-role-openvpn.
Related Issues (20)
- can you update README ? HOT 1
- Client private keys are logged to stdout on the step "generate client config"
- Allow apt version pinning on the installed packages
- Example Playbook do not works out of the box HOT 1
- Add version tags HOT 6
- CRL not working as intended. HOT 1
- sync_certs fails HOT 3
- Enable ansible-lint and yamllint
- Add a greeter & stale issue/pr closer
- Move compilation steps to copr/epel HOT 1
- Add option to push DOMAIN HOT 1
- openvpn_custom_dns option does not work
- LDAP compile - commands not found HOT 2
- Checkpolicy missing for the hooks
- Allow TCP management interface
- Client CSR is not deleted CentOS 7 HOT 1
- Rocky 8: openvpn-auth-ldap.so No such file or directory
- Deprecated cypher options used
- Error on default openvpn_client_config_dir
- How to add new server in the openvpn realm, how to make tunnel
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ansible-role-openvpn.