<div dir="ltr"><div>Hi Kevin</div><div> </div><div>OK, I understand. Maybe the only solution would be a special version of the VPN Client but thats a overkill. </div><div> </div><div>thanks for your work!!!</div><div>martin<br>
<br></div><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Kevin VPN</b> <span dir="ltr"><<a href="mailto:kvpn@live.com">kvpn@live.com</a>></span><br>Date: 2013/3/25<br>
Subject: Re: [vpn-help] How can I save password for Shrew Soft VPN Access Manager?<br>To: <a href="mailto:vpn-help@lists.shrew.net">vpn-help@lists.shrew.net</a><br><br><br>On 03/21/2013 02:42 AM, Martin Hess wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
Hi Kevin<br>
<br>
The Point of using XAuth-PWD's could be that with XAuth a FW Admin<br>
can selectively disable users. So Xauth is not an added security<br>
layer but more an management layer. And in that way it would be nice<br>
to save these passwords.<br>
<br>
martin<br>
<br>
<br>
2013/3/21 Kevin VPN <<a href="mailto:kvpn@live.com" target="_blank">kvpn@live.com</a>><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
On 02/18/2013 12:25 AM, Steve Yakovenko wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;padding-left:1ex;border-left-color:rgb(204,204,204);border-left-width:1px;border-left-style:solid">
subj<br>
<br>
<br>
</blockquote>
Hi Steve, this has been asked before on the list. You cannot save<br>
the password in the Access Manager. Think about it. If you're<br>
just going save the password so that anyone who uses the machine<br>
can just connect to the VPN, what's the point of the password<br>
then?<br>
<br>
However, if you have a need, as some users have, to automate<br>
connecting the VPN, there is a command line program you can use to<br>
connect. If you're comfortable with embedding the password in a<br>
script file, you could do that. See this post:<br>
<br>
<a href="https://lists.shrew.net/**pipermail/vpn-help/2010-**August/002920.html" target="_blank">https://lists.shrew.net/**<u></u>pipermail/vpn-help/2010-**<u></u>August/002920.html</a><br>
</blockquote></blockquote>
<br>
Hi Martin,<br>
<br>
I hadn't thought of it that way, but that's a valid way to use XAuth.<br>
Thanks for pointing it out.<br>
<br>
On the other hand, I suspect that >90% of users would choose to save their passwords if given the option, defeating the purpose for the standard use case of security/authentication.<br>
<br>
If save passwords were enabled in Shrew, I think it would ideally be a hidden/protected setting that could be set in the VPN configuration file (only) by an administrator. In other words, the end user could only save if the VPN administrator permitted it by providing a config file with that setting enabled.<br>
<br>
Yes, I'm aware that the Internet would allow a user to quickly find out what that setting is and manipulate their configuration file to enable the setting, but it would still be a deterrent. It would also work in policy compliance/forensics settings - if the configuration file was provided to the user with the save password option disabled, but the user enabled it, then responsibility for the policy violation and/or resulting security breach rests with the user.<br>
<br>
I still think I would come down on the side of not allowing to save passwords though.<br>
______________________________<u></u>_________________<br>
vpn-help mailing list<br>
<a href="mailto:vpn-help@lists.shrew.net" target="_blank">vpn-help@lists.shrew.net</a><br>
<a href="https://lists.shrew.net/mailman/listinfo/vpn-help" target="_blank">https://lists.shrew.net/<u></u>mailman/listinfo/vpn-help</a><br>
</div><br></div>