From patchwork Thu Mar 4 00:40:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1604 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id AMFkJXbHQGAlCAAAIUCqbw (envelope-from ) for ; Thu, 04 Mar 2021 06:41:42 -0500 Received: from proxy6.mail.ord1c.rsapps.net ([172.28.255.1]) by director12.mail.ord1d.rsapps.net with LMTP id aMNFJXbHQGDxegAAIasKDg (envelope-from ) for ; Thu, 04 Mar 2021 06:41:42 -0500 Received: from smtp25.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1c.rsapps.net with LMTPS id 0FD7JHbHQGBPZAAA9sKXow (envelope-from ) for ; Thu, 04 Mar 2021 06:41:42 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp25.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 96735fda-7cde-11eb-9db0-b8ca3a673c88-1-1 Received: from [216.105.38.7] ([216.105.38.7:42888] helo=lists.sourceforge.net) by smtp25.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F3/2C-30106-577C0406; Thu, 04 Mar 2021 06:41:41 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lHmLH-000713-58; Thu, 04 Mar 2021 11:40:31 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lHmLG-00070v-39 for openvpn-devel@lists.sourceforge.net; Thu, 04 Mar 2021 11:40:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2e3HRlbjH3ZWsi7ljiN5XJrtrkcmXAnwf+FwlJoWjI0=; b=F/j8E5hkwp5kbbQ6Sfl48UYj/J oQEYsSI9tPjuLvauPUqIsUg7mGGPGsMWEm5uZSNytwPljCmkKszcmeN3mpA6/H/l9A8gDTUoqXMDp qdDA1Txir9ibuybNzZh1R5ETjqlt8HmmVTUyXHZVMKBmXH5A8gI96VqToMFnsSE/Q9s8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=2e3HRlbjH3ZWsi7ljiN5XJrtrkcmXAnwf+FwlJoWjI0=; b=C5a7SqPJoAPiLXOCP1L0It/EA0 nhP/87N47rl0BIJ1G0hpmbQFY8kwlgKv0H69YJP+y2G/cSqPFOZhL9awl1TMir8Onj8sjP73PehmP SiVzhuvrlw50g6FEY344xdx6pL4/ceG07PjfIyisFrPdrg7DZYqpxdLpRY1gUHxMsqgU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lHmLC-0004Pw-59 for openvpn-devel@lists.sourceforge.net; Thu, 04 Mar 2021 11:40:30 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lHmL4-000NXy-TS for openvpn-devel@lists.sourceforge.net; Thu, 04 Mar 2021 12:40:18 +0100 Received: (nullmailer pid 8488 invoked by uid 10006); Thu, 04 Mar 2021 11:40:18 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 4 Mar 2021 12:40:18 +0100 Message-Id: <20210304114018.8442-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210125125628.30364-12-arne@rfc2549.org> References: <20210125125628.30364-12-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lHmLC-0004Pw-59 Subject: [Openvpn-devel] [PATCH v3] Add example script demonstrating TOTP via auth-pending X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Patch v3: Some minor cleanups in the script (rename CNs, add more comments) Signed-off-by: Arne Schwabe Acked-By: David Sommerseth --- doc/man-sections/script-options.rst | 3 + sample/sample-scripts/totpauth.py | 111 ++++++++++++++++++++++++++++ 2 files changed, 114 insertions(+) create mode 100755 sample/sample-scripts/totpauth.py diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index f48e5818..6517f847 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -147,6 +147,9 @@ SCRIPT HOOKS :code:`auth_control_file or further defer it. See ``--auth-user-pass-verify`` for details. + For a sample script that implement TOTP (RFC 6238) based two-factor + authentication, see :code:`sample-scripts/totp.py`. + --client-connect cmd Run command ``cmd`` on client connection. diff --git a/sample/sample-scripts/totpauth.py b/sample/sample-scripts/totpauth.py new file mode 100755 index 00000000..2991d659 --- /dev/null +++ b/sample/sample-scripts/totpauth.py @@ -0,0 +1,111 @@ +#! /usr/bin/python3 +# Copyright (c) 2021 OpenVPN Inc +# Copyright (c) 2021 Arne Schwabe +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +import sys +import os +from base64 import standard_b64decode + +import pyotp + +# Example script demonstrating how to use the auth-pending API in +# OpenVPN. This script is provided under MIT license to allow easy +# modification for other purposes. +# +# This needs support of crtext support on the client (e.g. OpenVPN for Android) +# See also the management-notes.txt file for more information about the auth pending +# protocol +# +# To use this script add the following lines in the openvpn config + +# client-crresponse /path/to/totpauth.py +# auth-user-pass-verify /path/to/totpauth.py via-file +# auth-user-pass-optional +# auth-gen-token + +# Note that this script does NOT verify username/password +# It is only meant for querying additional 2FA when certificates are +# used to authenticate + + +# For this demo script we hardcode the TOTP secrets in a simple dictionary. +secrets = {"Test-Client": "OS6JDNRK2BNUPQVX", + "Client-2": "IXWEMP7SK2QWSHTG"} + + +def main(): + # Get common name and script type from environment + script_type = os.environ['script_type'] + cn = os.environ['common_name'] + + if script_type == 'user-pass-verify': + # signal text based challenge response + if cn in secrets: + extra = "CR_TEXT:E,R:Please enter your TOTP code!" + write_auth_pending(300, 'crtext', extra) + + # Signal authentication being deferred + sys.exit(2) + else: + # For unknown CN we report failure. Change to 0 + # to allow CNs without secret to auth without 2FA + sys.exit(1) + + elif script_type == 'client-crresponse': + response = None + + # Read the crresponse from the argument file + # and convert it into text. A failure because of bad user + # input (e.g. invalid base64) will make the script throw + # an error and make OpenVPN return AUTH_FAILED + with open(sys.argv[1], 'r') as crinput: + response = crinput.read() + response = standard_b64decode(response) + response = response.decode().strip() + + if cn not in secrets: + write_auth_control(1) + return + + totp = pyotp.TOTP(secrets[cn]) + + # Check if the code is valid (and also allow code +/-1) + if totp.verify(response, valid_window=1): + write_auth_control(1) + else: + write_auth_control(0) + else: + print(f"Unknown script type {script_type}") + sys.exit(1) + + +def write_auth_control(status): + with open(os.environ['auth_control_file'], 'w') as auth_control: + auth_control.write("%d" % status) + + +def write_auth_pending(timeout, method, extra): + with open(os.environ['auth_pending_file'], 'w') as auth_pending: + auth_pending.write("%d\n%s\n%s" % (timeout, method, extra)) + + +if __name__ == '__main__': + main()