Out of curiosity I had a brief look at the openssl-vulnkey script and found the following:
The openssl-vulnkey is implemented as a wrapper around the openssl binary in order to check for weak keys.
One of the problems that occur when wrapping the openssl binary instead of making use of the openssl libraries is passing the password to it in a secure manner.
man openssl
"
Several commands accept password arguments, typically using -passin and
-passout for input and output passwords respectively. These allow the
password to be obtained from a variety of sources. Both of these
options take a single argument whose format is described below. If no
password argument is given and a password is required then the user is
prompted to enter one: this will typically be read from the current
terminal with echoing turned off.
pass:password the actual password is password. Since the password is visi‐ ble to utilities (like ’ps’ under Unix) this form should only
be used where security is not important.
"
The openssl-vulnkey calls three functions (get_type, get_bits and get_modulus) in order to get the information it needs in order to check for weak keys.
Each function needs to decrypt the key to get it's information. Hence the three pass phrase questions.
Renaming the openvpn-vulnkey to openssl-vulnkey is just as bad as replacing the openssl-vulnkey with /bin/true and should be avoided if you have not checked your keys manually and made sure their all OK.
So until the script is modified/fixed we're stuck with either
- typing the password three times
- replacing the openssl-vulnkey binary
Out of curiosity I had a brief look at the openssl-vulnkey script and found the following:
The openssl-vulnkey is implemented as a wrapper around the openssl binary in order to check for weak keys.
One of the problems that occur when wrapping the openssl binary instead of making use of the openssl libraries is passing the password to it in a secure manner.
man openssl
"
Several commands accept password arguments, typically using -passin and
-passout for input and output passwords respectively. These allow the
password to be obtained from a variety of sources. Both of these
options take a single argument whose format is described below. If no
password argument is given and a password is required then the user is
prompted to enter one: this will typically be read from the current
terminal with echoing turned off.
be used where security is not important.
"
The openssl-vulnkey calls three functions (get_type, get_bits and get_modulus) in order to get the information it needs in order to check for weak keys.
Each function needs to decrypt the key to get it's information. Hence the three pass phrase questions.
Renaming the openvpn-vulnkey to openssl-vulnkey is just as bad as replacing the openssl-vulnkey with /bin/true and should be avoided if you have not checked your keys manually and made sure their all OK.
So until the script is modified/fixed we're stuck with either
- typing the password three times
- replacing the openssl-vulnkey binary
/Patrik