[Openvpn-devel] Document ">PASSWORD:Auth-Token" real-time message

Message ID 20171011134530.6676-1-simon@rozman.si
State Accepted
Delegated to: David Sommerseth
Headers show
Series
  • [Openvpn-devel] Document ">PASSWORD:Auth-Token" real-time message
Related show

Commit Message

Simon Rozman Oct. 11, 2017, 1:45 p.m.
From: Simon Rozman <simon@rozman.si>

Authentication tokens are security enhancement eliminating client
need to cache passwords, and are indispensable at two factor
authentication methods, such as HOTP or TOTP.

The ">PASSWORD:Auth-Token" message was not mentioned anywhere in
the OpenVPN Management Interface Notes. This patch adds a simple use
case example, while the more detailed feature description remains
explained in the OpenVPN manual.
---
 doc/management-notes.txt | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

David Sommerseth Oct. 12, 2017, 9:12 a.m. | #1
Hi Simon,

Really great to see all your patches!  Thanks a lot!


On 11/10/17 15:45, simon@rozman.si wrote:
> From: Simon Rozman <simon@rozman.si>
> 
> Authentication tokens are security enhancement eliminating client
> need to cache passwords, and are indispensable at two factor
> authentication methods, such as HOTP or TOTP.
> 
> The ">PASSWORD:Auth-Token" message was not mentioned anywhere in
> the OpenVPN Management Interface Notes. This patch adds a simple use
> case example, while the more detailed feature description remains
> explained in the OpenVPN manual.
> ---
>  doc/management-notes.txt | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/doc/management-notes.txt b/doc/management-notes.txt
> index 0e7a7d4..c31ff5c 100644
> --- a/doc/management-notes.txt
> +++ b/doc/management-notes.txt
> @@ -317,6 +317,13 @@ COMMAND -- password and username
>  
>      >PASSWORD:Verification Failed: 'custom server-generated string'
>  
> +  Example 6: If server pushes --auth-token to the client, the OpenVPN
> +  will produce a real-time PASSWORD message:
> +
> +    >PASSWORD:Auth-Token:foobar
> +
> +  The client should replace the local password with the "foobar".
> +

This area is part of the code I've been involved with fairly recently.

You are not incorrect, and this was the behaviour until we released
OpenVPN 2.4.4.  As of v2.4.4, the >PASSWORD: line will be sent to the
management interface, but the code which implements usage of the
management interface can basically ignore it.  The caching of the
token is now handled properly by the OpenVPN core, also if you are using
--auth-nocache in the client config.

(Quick remark, it seems we did not fix this issue in v2.3 at all, it
only have a partial fix but is lacking a backport of commit 3322c558fa7)

We might actually consider to remove the >PASSWORD: response in the future.

I can give this patch an ACK if we just remove the line about "replacing
the local password".  For me, that can be done on-the-fly on commit time
in this case.
Simon Rozman Oct. 12, 2017, 9:35 a.m. | #2
Hi,

> Really great to see all your patches!  Thanks a lot!

I have a strong motivation for it, as I am planning some future changes for 
openvpnserv.exe. It would help me to keep in sync with official OpenVPN source 
base if the majority of base issues MSVC has with OpenVPN sources is resolved 
first.

Or perhaps the change I am planning for openvpnserv.exe is aligned with 
OpenVPN dev team and it might get integrated once. But that's a discussion for 
a separate thread.

> This area is part of the code I've been involved with fairly recently.
>
> You are not incorrect, and this was the behaviour until we released OpenVPN
> 2.4.4.  As of v2.4.4, the >PASSWORD: line will be sent to the management
> interface, but the code which implements usage of the management
> interface can basically ignore it.  The caching of the token is now handled
> properly by the OpenVPN core, also if you are using --auth-nocache in the
> client config.

Thank you for notifying me of this. I haven't had time to test eduVPN Client 
(which currently does handle ">PASSWORD:Auth-Token" messages) with 2.4.4 yet.

> I can give this patch an ACK if we just remove the line about "replacing the
> local password".  For me, that can be done on-the-fly on commit time in this
> case.

Yes, please.

Best regards,
Simon
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Gert Doering Nov. 4, 2017, 6:50 p.m. | #3
Applied with the change proposed by David (removing the last sentence).

Thanks.

Your patch has been applied to the master and release/2.4 branch.

commit a294cd65f6c61d41e1b7584b07295aba73aeb4cb (master)
commit a255c3b2a77b282fcf1a8cba9d7ec34d48bfd0ed (release/2.4)
Author: Simon Rozman
Date:   Wed Oct 11 15:45:30 2017 +0200

     Document 

     Acked-by: David Sommerseth <davids@openvpn.net>
     Message-Id: <20171011134530.6676-1-simon@rozman.si>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15599.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Patch

diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index 0e7a7d4..c31ff5c 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -317,6 +317,13 @@  COMMAND -- password and username
 
     >PASSWORD:Verification Failed: 'custom server-generated string'
 
+  Example 6: If server pushes --auth-token to the client, the OpenVPN
+  will produce a real-time PASSWORD message:
+
+    >PASSWORD:Auth-Token:foobar
+
+  The client should replace the local password with the "foobar".
+
 COMMAND -- forget-passwords
 ---------------------------