exact insecurity of --bypass-security ?

Guus Sliepen guus at sliepen.eu.org
Wed Sep 3 08:25:04 CEST 2003


On Tue, Sep 02, 2003 at 09:47:47PM +0200, Dipl.-Ing. C. Lechleitner wrote:

> Unfortunately, I could only get the tinc VPN working using the --bypass-security
> parameter, without this switch I got "Bogus data from ... " messages in syslog.
> I have tried the statical linked 1.0.1 binary as well as a self compiled
> binary, both under SuSE 8.2.
> 
> The problem might be that tinc 1.0.1 relies on OpenSSL 0.9.7, while our SuSE
> systems use a SuSE patched 0.9.6i release (there are no OpenSSL 0.9.7 packages
> available for most Linux distributions).
> Of course I upgraded to 0.9.7 temporarily, just to be able to compile tinc
> myself, but I am not entirely sure if I had 0.9.7 (and only 0.9.7) active, and,
> it did not help.

It could be a problem caused by differing OpenSSL versions. But it could
also caused by putting a public or private key in the wrong place. Try
removing all the public/private keys and generate them again.

>   What _exactly_ are the consequences and risks of using --bypass-security ?

As Brian said, it disables authentication and encryption of the TCP
connections, and allows you to telnet to a tinc daemon and type
commands. It will still encrypt UDP packets, but since the key used to
encrypt those is sent via the unencrypted TCP connections, it's not
safe at all. There are other attacks possible as well. In short, never
use --bypass-security :)

-- 
Met vriendelijke groet / with kind regards,
    Guus Sliepen <guus at sliepen.eu.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20030903/bb47cb1e/attachment.pgp


More information about the Tinc mailing list