Message ID | 20171011134530.6676-1-simon@rozman.si |
---|---|
State | Accepted |
Delegated to: | David Sommerseth |
Headers | show |
Series | [Openvpn-devel] Document ">PASSWORD:Auth-Token" real-time message | expand |
Hi Simon, Really great to see all your patches! Thanks a lot! On 11/10/17 15:45, simon@rozman.si wrote: > From: Simon Rozman <simon@rozman.si> > > Authentication tokens are security enhancement eliminating client > need to cache passwords, and are indispensable at two factor > authentication methods, such as HOTP or TOTP. > > The ">PASSWORD:Auth-Token" message was not mentioned anywhere in > the OpenVPN Management Interface Notes. This patch adds a simple use > case example, while the more detailed feature description remains > explained in the OpenVPN manual. > --- > doc/management-notes.txt | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/doc/management-notes.txt b/doc/management-notes.txt > index 0e7a7d4..c31ff5c 100644 > --- a/doc/management-notes.txt > +++ b/doc/management-notes.txt > @@ -317,6 +317,13 @@ COMMAND -- password and username > > >PASSWORD:Verification Failed: 'custom server-generated string' > > + Example 6: If server pushes --auth-token to the client, the OpenVPN > + will produce a real-time PASSWORD message: > + > + >PASSWORD:Auth-Token:foobar > + > + The client should replace the local password with the "foobar". > + This area is part of the code I've been involved with fairly recently. You are not incorrect, and this was the behaviour until we released OpenVPN 2.4.4. As of v2.4.4, the >PASSWORD: line will be sent to the management interface, but the code which implements usage of the management interface can basically ignore it. The caching of the token is now handled properly by the OpenVPN core, also if you are using --auth-nocache in the client config. (Quick remark, it seems we did not fix this issue in v2.3 at all, it only have a partial fix but is lacking a backport of commit 3322c558fa7) We might actually consider to remove the >PASSWORD: response in the future. I can give this patch an ACK if we just remove the line about "replacing the local password". For me, that can be done on-the-fly on commit time in this case.
Hi, > Really great to see all your patches! Thanks a lot! I have a strong motivation for it, as I am planning some future changes for openvpnserv.exe. It would help me to keep in sync with official OpenVPN source base if the majority of base issues MSVC has with OpenVPN sources is resolved first. Or perhaps the change I am planning for openvpnserv.exe is aligned with OpenVPN dev team and it might get integrated once. But that's a discussion for a separate thread. > This area is part of the code I've been involved with fairly recently. > > You are not incorrect, and this was the behaviour until we released OpenVPN > 2.4.4. As of v2.4.4, the >PASSWORD: line will be sent to the management > interface, but the code which implements usage of the management > interface can basically ignore it. The caching of the token is now handled > properly by the OpenVPN core, also if you are using --auth-nocache in the > client config. Thank you for notifying me of this. I haven't had time to test eduVPN Client (which currently does handle ">PASSWORD:Auth-Token" messages) with 2.4.4 yet. > I can give this patch an ACK if we just remove the line about "replacing the > local password". For me, that can be done on-the-fly on commit time in this > case. Yes, please. Best regards, Simon ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Applied with the change proposed by David (removing the last sentence). Thanks. Your patch has been applied to the master and release/2.4 branch. commit a294cd65f6c61d41e1b7584b07295aba73aeb4cb (master) commit a255c3b2a77b282fcf1a8cba9d7ec34d48bfd0ed (release/2.4) Author: Simon Rozman Date: Wed Oct 11 15:45:30 2017 +0200 Document Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20171011134530.6676-1-simon@rozman.si> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15599.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 0e7a7d4..c31ff5c 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -317,6 +317,13 @@ COMMAND -- password and username >PASSWORD:Verification Failed: 'custom server-generated string' + Example 6: If server pushes --auth-token to the client, the OpenVPN + will produce a real-time PASSWORD message: + + >PASSWORD:Auth-Token:foobar + + The client should replace the local password with the "foobar". + COMMAND -- forget-passwords ---------------------------
From: Simon Rozman <simon@rozman.si> Authentication tokens are security enhancement eliminating client need to cache passwords, and are indispensable at two factor authentication methods, such as HOTP or TOTP. The ">PASSWORD:Auth-Token" message was not mentioned anywhere in the OpenVPN Management Interface Notes. This patch adds a simple use case example, while the more detailed feature description remains explained in the OpenVPN manual. --- doc/management-notes.txt | 7 +++++++ 1 file changed, 7 insertions(+)