[Openvpn-devel] Document some limitations of --auth-user-pass

Message ID 20200313130133.19045-1-samuli@openvpn.net
State Changes Requested
Headers show
Series
  • [Openvpn-devel] Document some limitations of --auth-user-pass
Related show

Commit Message

Samuli Seppänen March 13, 2020, 1:01 p.m.
From: Samuli Seppänen <samuli@openvpn.net>

URL: https://community.openvpn.net/openvpn/ticket/757
Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
---
 doc/openvpn.8 | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

David Sommerseth March 16, 2020, 12:37 p.m. | #1
On 13/03/2020 14:01, samuli@openvpn.net wrote:
> From: Samuli Seppänen <samuli@openvpn.net>
> 
> URL: https://community.openvpn.net/openvpn/ticket/757
> Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
> ---
>  doc/openvpn.8 | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/doc/openvpn.8 b/doc/openvpn.8
> index 864f94e8..9e54890e 100644
> --- a/doc/openvpn.8
> +++ b/doc/openvpn.8
> @@ -4127,6 +4127,12 @@ The server configuration must specify an
>  .B \-\-auth\-user\-pass\-verify
>  script to verify the username/password provided by
>  the client.
> +
> +Note that OpenVPN GUI on Windows does not prompt for the
> +password if the file contains only the username. However,
> +OpenVPN versions from 2.4 up bundle OpenVPN GUI version 11
> +which is able to cache usernames and passwords internally.
> +

Could we rephrase this, to not live in the past.  This will go into master and
probably also release/2.4.  I also doubt anyone using man pages on 2.3 would
even read this.  If there are Windows users on 2.3, there are no excuse not to
upgrade - unless it's an enterprise deployment, where end users most likely
would not even care (they should anyway complain to their IT department
regardless, for using outdated security software).

I would just rephrase it to say:

  OpenVPN GUI v11 and newer uses its own internal username/password storage
  independent of the --auth-user-pass file provided.  The file argument is
  ignored on such installations.

(or something like that)
Selva Nair March 16, 2020, 1:48 p.m. | #2
Hi,

On Mon, Mar 16, 2020 at 8:39 AM David Sommerseth
<openvpn@sf.lists.topphemmelig.net> wrote:
>
> On 13/03/2020 14:01, samuli@openvpn.net wrote:
> > From: Samuli Seppänen <samuli@openvpn.net>
> >
> > URL: https://community.openvpn.net/openvpn/ticket/757
> > Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
> > ---
> >  doc/openvpn.8 | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/doc/openvpn.8 b/doc/openvpn.8
> > index 864f94e8..9e54890e 100644
> > --- a/doc/openvpn.8
> > +++ b/doc/openvpn.8
> > @@ -4127,6 +4127,12 @@ The server configuration must specify an
> >  .B \-\-auth\-user\-pass\-verify
> >  script to verify the username/password provided by
> >  the client.
> > +
> > +Note that OpenVPN GUI on Windows does not prompt for the
> > +password if the file contains only the username. However,
> > +OpenVPN versions from 2.4 up bundle OpenVPN GUI version 11
> > +which is able to cache usernames and passwords internally.
> > +
>
> Could we rephrase this, to not live in the past.  This will go into master and
> probably also release/2.4.  I also doubt anyone using man pages on 2.3 would
> even read this.  If there are Windows users on 2.3, there are no excuse not to
> upgrade - unless it's an enterprise deployment, where end users most likely
> would not even care (they should anyway complain to their IT department
> regardless, for using outdated security software).
>
> I would just rephrase it to say:
>
>   OpenVPN GUI v11 and newer uses its own internal username/password storage
>   independent of the --auth-user-pass file provided.  The file argument is
>   ignored on such installations.

I wish it behaved  like that. Unfortunately the file argument is not
ignored in such cases. If the file has only username, openvpn.exe
reads it from the file and then fails to prompt for password as there
is no console available.

I propose to change this behaviour to: if --management-query-passwords
is set (which the GUI does), ignore the file given in auth-user-pass
and prompt both username and password from management. I think its
only logical for a later option (in this case the one set by the GUI)
to override a previous one. Anyway we do already ignore it if the file
is "stdin".

Selva
David Sommerseth March 17, 2020, 10:06 a.m. | #3
On 16/03/2020 14:48, Selva Nair wrote:
[...snip...]
>> I would just rephrase it to say:
>>
>>   OpenVPN GUI v11 and newer uses its own internal username/password storage
>>   independent of the --auth-user-pass file provided.  The file argument is
>>   ignored on such installations.
> 
> I wish it behaved  like that. Unfortunately the file argument is not
> ignored in such cases. If the file has only username, openvpn.exe
> reads it from the file and then fails to prompt for password as there
> is no console available.

Ouch ... that is a pointless misbehavior.  Lets try to fix that.

> I propose to change this behaviour to: if --management-query-passwords
> is set (which the GUI does), ignore the file given in auth-user-pass
> and prompt both username and password from management. I think its
> only logical for a later option (in this case the one set by the GUI)
> to override a previous one. Anyway we do already ignore it if the file
> is "stdin".

Agreed!
Gert Doering March 17, 2020, 10:25 a.m. | #4
Hi,

On Tue, Mar 17, 2020 at 11:06:53AM +0100, David Sommerseth wrote:
> On 16/03/2020 14:48, Selva Nair wrote:
> [...snip...]
> >> I would just rephrase it to say:
> >>
> >>   OpenVPN GUI v11 and newer uses its own internal username/password storage
> >>   independent of the --auth-user-pass file provided.  The file argument is
> >>   ignored on such installations.
> > 
> > I wish it behaved  like that. Unfortunately the file argument is not
> > ignored in such cases. If the file has only username, openvpn.exe
> > reads it from the file and then fails to prompt for password as there
> > is no console available.
> 
> Ouch ... that is a pointless misbehavior.  Lets try to fix that.

Have you recovered from your latest adventures in "password query code
in OpenVPN" already? :-)

Not sure if the management commands permit the "we have a username but
no password" flow today... Arne, Selva?

But yes, this needs to be either a clear error, or "work correctly"

> > I propose to change this behaviour to: if --management-query-passwords
> > is set (which the GUI does), ignore the file given in auth-user-pass
> > and prompt both username and password from management. I think its
> > only logical for a later option (in this case the one set by the GUI)
> > to override a previous one. Anyway we do already ignore it if the file
> > is "stdin".
> 
> Agreed!

No, as this will break working configs *if* both username + password 
are in the file (did we ever merge the "inline auth-user-pass" patch?).

gert
Selva Nair March 29, 2020, 8:43 p.m. | #5
Hi,

On Tue, Mar 17, 2020 at 6:25 AM Gert Doering <gert@greenie.muc.de> wrote:
>
> Hi,
>
> On Tue, Mar 17, 2020 at 11:06:53AM +0100, David Sommerseth wrote:
> > On 16/03/2020 14:48, Selva Nair wrote:
> > [...snip...]
> > >> I would just rephrase it to say:
> > >>
> > >>   OpenVPN GUI v11 and newer uses its own internal username/password storage
> > >>   independent of the --auth-user-pass file provided.  The file argument is
> > >>   ignored on such installations.
> > >
> > > I wish it behaved  like that. Unfortunately the file argument is not
> > > ignored in such cases. If the file has only username, openvpn.exe
> > > reads it from the file and then fails to prompt for password as there
> > > is no console available.
> >
> > Ouch ... that is a pointless misbehavior.  Lets try to fix that.
>
> Have you recovered from your latest adventures in "password query code
> in OpenVPN" already? :-)
>
> Not sure if the management commands permit the "we have a username but
> no password" flow today... Arne, Selva?
>
> But yes, this needs to be either a clear error, or "work correctly"
>
> > > I propose to change this behaviour to: if --management-query-passwords
> > > is set (which the GUI does), ignore the file given in auth-user-pass
> > > and prompt both username and password from management. I think its
> > > only logical for a later option (in this case the one set by the GUI)
> > > to override a previous one. Anyway we do already ignore it if the file
> > > is "stdin".
> >
> > Agreed!
>
> No, as this will break working configs *if* both username + password
> are in the file (did we ever merge the "inline auth-user-pass" patch?).

See the patch in mail for what looks like an acceptable solution to me.


Selva
Gert Doering April 15, 2020, 7:22 p.m. | #6
Hi,

On Fri, Mar 13, 2020 at 03:01:33PM +0200, samuli@openvpn.net wrote:
> From: Samuli Seppänen <samuli@openvpn.net>
> 
> URL: https://community.openvpn.net/openvpn/ticket/757
> Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
> ---

I'm going to mark that patch in patchwork as "changes requested",
given that Selva changed the issue towards "if this happens, 
we'll just ignore the stored username and ask management for both 
user+password".

Not sure if we still need a documentation patch, but if we want one,
it will have to be different text :)

gert

Patch

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 864f94e8..9e54890e 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -4127,6 +4127,12 @@  The server configuration must specify an
 .B \-\-auth\-user\-pass\-verify
 script to verify the username/password provided by
 the client.
+
+Note that OpenVPN GUI on Windows does not prompt for the
+password if the file contains only the username. However,
+OpenVPN versions from 2.4 up bundle OpenVPN GUI version 11
+which is able to cache usernames and passwords internally.
+
 .\"*********************************************************
 .TP
 .B \-\-auth\-retry type