[Openvpn-devel,2/2] When auth-user-pass file has no password query the management interface (if available).

Message ID 1585963064-10311-2-git-send-email-selva.nair@gmail.com
State Accepted
Headers show
Series
  • [Openvpn-devel,for-2.4,1/2] Move querying username/password from management interface to a function
Related show

Commit Message

Selva Nair April 4, 2020, 1:17 a.m.
From: Selva Nair <selva.nair@gmail.com>

When only username is found in the file, redirect the auth-user-pass
query to the management interface if management-query-passwords is
enabled.  Otherwise the user is prompted on console, if available,
as before.

This changes the behaviour for those who run from the command line,
with --management-query-passwords, but still expect the prompt
on the console.

Note that the management interface will prompt for both username and
password ignoring the username read from the file. As most GUIs can
save the the username, this is a one-time inconvenience.

Currently, the password is queried on the console (or systemd)
in such cases. This is not sensible when console is not available
(windows GUI, tunnelblick etc.) or when the log is redirected
to a file on Windows (for some reason prompt goes to the log file).

Trac # 757

Signed-off-by: Selva Nair <selva.nair@gmail.com>
---
This may be cherry-picked from 57578310992d1fbe8eff97049087c5308089acb5
in master without conflicts.

 src/openvpn/misc.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

Comments

Gert Doering April 5, 2020, 8:25 a.m. | #1
HI,

On Fri, Apr 03, 2020 at 09:17:44PM -0400, selva.nair@gmail.com wrote:
> From: Selva Nair <selva.nair@gmail.com>
> 
> When only username is found in the file, redirect the auth-user-pass
> query to the management interface if management-query-passwords is
> enabled.  Otherwise the user is prompted on console, if available,
> as before.
[..]
> ---
> This may be cherry-picked from 57578310992d1fbe8eff97049087c5308089acb5
> in master without conflicts.

And this is what I've done.  So we have:

Acked-by: Gert Doering <gert@greenie.muc.de>

commit 2fe84732d19243df6c7713c185998507419155cd (HEAD -> release/2.4)
Author: Selva Nair <selva.nair@gmail.com>
Date:   Mon Mar 30 14:05:27 2020 -0400

    When auth-user-pass file has no password query the management interface
    (if available).

    Signed-off-by: Selva Nair <selva.nair@gmail.com>
    Acked-by: Gert Doering <gert@greenie.muc.de>
    Message-Id: <1585591527-23734-2-git-send-email-selva.nair@gmail.com>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19655.html
    Signed-off-by: Gert Doering <gert@greenie.muc.de>
    (cherry picked from commit 57578310992d1fbe8eff97049087c5308089acb5)


quick test build on MinGW and Linux just to ensure I didn't break
anything unexpected due to "different context in 2.4, some variables
not available" etc, but no :-)

thanks,

gert
Gert Doering April 5, 2020, 8:31 a.m. | #2
Hi,

On Sun, Apr 05, 2020 at 10:25:56AM +0200, Gert Doering wrote:
> On Fri, Apr 03, 2020 at 09:17:44PM -0400, selva.nair@gmail.com wrote:
> > From: Selva Nair <selva.nair@gmail.com>
> > 
> > When only username is found in the file, redirect the auth-user-pass
> > query to the management interface if management-query-passwords is
> > enabled.  Otherwise the user is prompted on console, if available,
> > as before.
> [..]
> > ---
> > This may be cherry-picked from 57578310992d1fbe8eff97049087c5308089acb5
> > in master without conflicts.
> 
> And this is what I've done.  So we have:
> 
> Acked-by: Gert Doering <gert@greenie.muc.de>
> 
> commit 2fe84732d19243df6c7713c185998507419155cd (HEAD -> release/2.4)
> Author: Selva Nair <selva.nair@gmail.com>
> Date:   Mon Mar 30 14:05:27 2020 -0400

Shouldn't do early sunday morning merges - one of the main points of
asking for a 2.4-specific commit was "Changes.rst", which needs to be
updated to document changed behaviour...  which I had forgotten again.

I'll do this on the "prepare for 2.4.9 release" commit now, but would
really prefer to have it in the commit that contains the actual change
(if feasible).

gert

Patch

diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 2b0d10c..9c5e96e 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -1030,6 +1030,22 @@  get_user_pass_cr(struct user_pass *up,
             {
                 strncpy(up->password, password_buf, USER_PASS_LEN);
             }
+            /* The auth-file does not have the password: get both username
+             * and password from the management interface if possible.
+             * Otherwise set to read password from console.
+             */
+#if defined(ENABLE_MANAGEMENT)
+            else if (management
+                     && (flags & GET_USER_PASS_MANAGEMENT)
+                     && management_query_user_pass_enabled(management))
+            {
+                msg(D_LOW, "No password found in %s authfile '%s'. Querying the management interface", prefix, auth_file);
+                if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge))
+                {
+                    return false;
+                }
+            }
+#endif
             else
             {
                 password_from_stdin = 1;