| Message ID | 20200313130133.19045-1-samuli@openvpn.net |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [Openvpn-devel] Document some limitations of --auth-user-pass | expand |
On 13/03/2020 14:01, samuli@openvpn.net wrote: > From: Samuli Seppänen <samuli@openvpn.net> > > URL: https://community.openvpn.net/openvpn/ticket/757 > Signed-off-by: Samuli Seppänen <samuli@openvpn.net> > --- > doc/openvpn.8 | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/doc/openvpn.8 b/doc/openvpn.8 > index 864f94e8..9e54890e 100644 > --- a/doc/openvpn.8 > +++ b/doc/openvpn.8 > @@ -4127,6 +4127,12 @@ The server configuration must specify an > .B \-\-auth\-user\-pass\-verify > script to verify the username/password provided by > the client. > + > +Note that OpenVPN GUI on Windows does not prompt for the > +password if the file contains only the username. However, > +OpenVPN versions from 2.4 up bundle OpenVPN GUI version 11 > +which is able to cache usernames and passwords internally. > + Could we rephrase this, to not live in the past. This will go into master and probably also release/2.4. I also doubt anyone using man pages on 2.3 would even read this. If there are Windows users on 2.3, there are no excuse not to upgrade - unless it's an enterprise deployment, where end users most likely would not even care (they should anyway complain to their IT department regardless, for using outdated security software). I would just rephrase it to say: OpenVPN GUI v11 and newer uses its own internal username/password storage independent of the --auth-user-pass file provided. The file argument is ignored on such installations. (or something like that)
Hi, On Mon, Mar 16, 2020 at 8:39 AM David Sommerseth <openvpn@sf.lists.topphemmelig.net> wrote: > > On 13/03/2020 14:01, samuli@openvpn.net wrote: > > From: Samuli Seppänen <samuli@openvpn.net> > > > > URL: https://community.openvpn.net/openvpn/ticket/757 > > Signed-off-by: Samuli Seppänen <samuli@openvpn.net> > > --- > > doc/openvpn.8 | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/doc/openvpn.8 b/doc/openvpn.8 > > index 864f94e8..9e54890e 100644 > > --- a/doc/openvpn.8 > > +++ b/doc/openvpn.8 > > @@ -4127,6 +4127,12 @@ The server configuration must specify an > > .B \-\-auth\-user\-pass\-verify > > script to verify the username/password provided by > > the client. > > + > > +Note that OpenVPN GUI on Windows does not prompt for the > > +password if the file contains only the username. However, > > +OpenVPN versions from 2.4 up bundle OpenVPN GUI version 11 > > +which is able to cache usernames and passwords internally. > > + > > Could we rephrase this, to not live in the past. This will go into master and > probably also release/2.4. I also doubt anyone using man pages on 2.3 would > even read this. If there are Windows users on 2.3, there are no excuse not to > upgrade - unless it's an enterprise deployment, where end users most likely > would not even care (they should anyway complain to their IT department > regardless, for using outdated security software). > > I would just rephrase it to say: > > OpenVPN GUI v11 and newer uses its own internal username/password storage > independent of the --auth-user-pass file provided. The file argument is > ignored on such installations. I wish it behaved like that. Unfortunately the file argument is not ignored in such cases. If the file has only username, openvpn.exe reads it from the file and then fails to prompt for password as there is no console available. I propose to change this behaviour to: if --management-query-passwords is set (which the GUI does), ignore the file given in auth-user-pass and prompt both username and password from management. I think its only logical for a later option (in this case the one set by the GUI) to override a previous one. Anyway we do already ignore it if the file is "stdin". Selva
On 16/03/2020 14:48, Selva Nair wrote: [...snip...] >> I would just rephrase it to say: >> >> OpenVPN GUI v11 and newer uses its own internal username/password storage >> independent of the --auth-user-pass file provided. The file argument is >> ignored on such installations. > > I wish it behaved like that. Unfortunately the file argument is not > ignored in such cases. If the file has only username, openvpn.exe > reads it from the file and then fails to prompt for password as there > is no console available. Ouch ... that is a pointless misbehavior. Lets try to fix that. > I propose to change this behaviour to: if --management-query-passwords > is set (which the GUI does), ignore the file given in auth-user-pass > and prompt both username and password from management. I think its > only logical for a later option (in this case the one set by the GUI) > to override a previous one. Anyway we do already ignore it if the file > is "stdin". Agreed!
Hi, On Tue, Mar 17, 2020 at 11:06:53AM +0100, David Sommerseth wrote: > On 16/03/2020 14:48, Selva Nair wrote: > [...snip...] > >> I would just rephrase it to say: > >> > >> OpenVPN GUI v11 and newer uses its own internal username/password storage > >> independent of the --auth-user-pass file provided. The file argument is > >> ignored on such installations. > > > > I wish it behaved like that. Unfortunately the file argument is not > > ignored in such cases. If the file has only username, openvpn.exe > > reads it from the file and then fails to prompt for password as there > > is no console available. > > Ouch ... that is a pointless misbehavior. Lets try to fix that. Have you recovered from your latest adventures in "password query code in OpenVPN" already? :-) Not sure if the management commands permit the "we have a username but no password" flow today... Arne, Selva? But yes, this needs to be either a clear error, or "work correctly" > > I propose to change this behaviour to: if --management-query-passwords > > is set (which the GUI does), ignore the file given in auth-user-pass > > and prompt both username and password from management. I think its > > only logical for a later option (in this case the one set by the GUI) > > to override a previous one. Anyway we do already ignore it if the file > > is "stdin". > > Agreed! No, as this will break working configs *if* both username + password are in the file (did we ever merge the "inline auth-user-pass" patch?). gert
Hi, On Tue, Mar 17, 2020 at 6:25 AM Gert Doering <gert@greenie.muc.de> wrote: > > Hi, > > On Tue, Mar 17, 2020 at 11:06:53AM +0100, David Sommerseth wrote: > > On 16/03/2020 14:48, Selva Nair wrote: > > [...snip...] > > >> I would just rephrase it to say: > > >> > > >> OpenVPN GUI v11 and newer uses its own internal username/password storage > > >> independent of the --auth-user-pass file provided. The file argument is > > >> ignored on such installations. > > > > > > I wish it behaved like that. Unfortunately the file argument is not > > > ignored in such cases. If the file has only username, openvpn.exe > > > reads it from the file and then fails to prompt for password as there > > > is no console available. > > > > Ouch ... that is a pointless misbehavior. Lets try to fix that. > > Have you recovered from your latest adventures in "password query code > in OpenVPN" already? :-) > > Not sure if the management commands permit the "we have a username but > no password" flow today... Arne, Selva? > > But yes, this needs to be either a clear error, or "work correctly" > > > > I propose to change this behaviour to: if --management-query-passwords > > > is set (which the GUI does), ignore the file given in auth-user-pass > > > and prompt both username and password from management. I think its > > > only logical for a later option (in this case the one set by the GUI) > > > to override a previous one. Anyway we do already ignore it if the file > > > is "stdin". > > > > Agreed! > > No, as this will break working configs *if* both username + password > are in the file (did we ever merge the "inline auth-user-pass" patch?). See the patch in mail for what looks like an acceptable solution to me. Selva
Hi, On Fri, Mar 13, 2020 at 03:01:33PM +0200, samuli@openvpn.net wrote: > From: Samuli Seppänen <samuli@openvpn.net> > > URL: https://community.openvpn.net/openvpn/ticket/757 > Signed-off-by: Samuli Seppänen <samuli@openvpn.net> > --- I'm going to mark that patch in patchwork as "changes requested", given that Selva changed the issue towards "if this happens, we'll just ignore the stored username and ask management for both user+password". Not sure if we still need a documentation patch, but if we want one, it will have to be different text :) gert
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 864f94e8..9e54890e 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -4127,6 +4127,12 @@ The server configuration must specify an .B \-\-auth\-user\-pass\-verify script to verify the username/password provided by the client. + +Note that OpenVPN GUI on Windows does not prompt for the +password if the file contains only the username. However, +OpenVPN versions from 2.4 up bundle OpenVPN GUI version 11 +which is able to cache usernames and passwords internally. + .\"********************************************************* .TP .B \-\-auth\-retry type