From patchwork Wed Apr 4 02:13:57 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 289 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.27.255.1]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id PGZwDc3FxFq4LQAAIUCqbw for ; Wed, 04 Apr 2018 08:32:14 -0400 Received: from proxy19.mail.iad3a.rsapps.net ([172.27.255.1]) by director9.mail.ord1d.rsapps.net (Dovecot) with LMTP id nc80AM3FxFrOFgAAalYnBA ; Wed, 04 Apr 2018 08:32:13 -0400 Received: from smtp51.gate.iad3a ([172.27.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3a.rsapps.net with LMTP id mEr7MM3FxFpORwAAXy6Yeg ; Wed, 04 Apr 2018 08:32:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp51.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=openvpn.net X-Suspicious-Flag: YES X-Classification-ID: 336769d0-3804-11e8-9749-525400aaff7b-1-1 Received: from [216.105.38.7] ([216.105.38.7:29799] helo=lists.sourceforge.net) by smtp51.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 52/51-23648-DC5C4CA5; Wed, 04 Apr 2018 08:32:13 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1f3hZ6-0004xw-Eo; Wed, 04 Apr 2018 12:31:00 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1f3hZ5-0004xZ-3h for openvpn-devel@lists.sourceforge.net; Wed, 04 Apr 2018 12:30:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=hvbFwqeHtDHpqzXGdCBitNm0G5cxRdFFnkJAkN0923s=; b=PyuV3ki0MXQR1P+1PRQkg7zcyQ /uHCLo9gTl2IHLcCBp3pgpNZ2p5ubhWJxXIQfcNsPQhO3WypdeXPkiTt538LLls19xxK4eUAYcN8w eMso8AQ4knL+IPQJw0IAHiIvVUKzawoh6qNnwR0lZdx4nt6PmJnaBfxnhXA8xmuecVuE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=hvbFwqeHtDHpqzXGdCBitNm0G5cxRdFFnkJAkN0923s=; b=LIRxfOXUFg1ZlbzKeB6Jy7EHCM 9Dw2nqBryEK2Nikt7Fmkd5FZPHz47KBlh3WtltQq5HCsBb8DB1tfL0othdhbS8A3Kb1gh8WvvwcGJ +mTXhVn+fLEW8CC6JMLziLrM8ZFdrpw56sELfCUFPO/6t3eJseRPNkAtSAQNNcNLPiks=; Received: from winterfell.topphemmelig.net ([83.243.40.96]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1f3hYz-002cW6-8L for openvpn-devel@lists.sourceforge.net; Wed, 04 Apr 2018 12:30:59 +0000 Received: from localhost (unknown [IPv6:::1]) by winterfell.topphemmelig.net (Postfix) with ESMTP id 7FBC7816424 for ; Wed, 4 Apr 2018 12:14:05 +0000 (UTC) Received: from winterfell.topphemmelig.net ([IPv6:::1]) by localhost (winterfell.topphemmelig.net [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id LRXtXiIqX9bD for ; Wed, 4 Apr 2018 14:14:04 +0200 (CEST) Received: from zimbra.sommerseth.email (zimbra.sommerseth.email [172.16.33.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by winterfell.topphemmelig.net (Postfix) with ESMTPS id BC0E880F8ED for ; Wed, 4 Apr 2018 14:14:04 +0200 (CEST) Received: from localhost (localhost [IPv6:::1]) by zimbra.sommerseth.email (Postfix) with ESMTP id 6763A5194C23 for ; Wed, 4 Apr 2018 14:14:04 +0200 (CEST) Received: from zimbra.sommerseth.email ([IPv6:::1]) by localhost (zimbra.sommerseth.email [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id G3yv-zuh-BLB for ; Wed, 4 Apr 2018 14:14:04 +0200 (CEST) Received: from optimus.homebase.sommerseths.net (unknown [10.35.7.3]) by zimbra.sommerseth.email (Postfix) with ESMTPS id F1A844072F48 for ; Wed, 4 Apr 2018 14:14:03 +0200 (CEST) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Wed, 4 Apr 2018 14:13:57 +0200 Message-Id: <20180404121357.2126-1-davids@openvpn.net> X-Mailer: git-send-email 2.16.2 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1f3hYz-002cW6-8L Subject: [Openvpn-devel] [PATCH] man: Improve token based authentication X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Be more explicit that --auth-gen-token is to be considered a workaround for authentication scripts/plug-ins not supporting --auth-token. Also be more explicit that invalidated --auth-token values will result in the client disconnecting. Signed-off-by: David Sommerseth --- doc/openvpn.8 | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 4114f408..b6de2c9c 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3671,10 +3671,25 @@ argument defines how long the generated token is valid. The lifetime is defined in seconds. If lifetime is not set or it is set to 0, the token will never expire. -This feature is useful for environments which is configured -to use One Time Passwords (OTP) as part of the user/password -authentications and that authentication mechanism does not -implement any auth\-token support. +.B PLEASE NOTE: +The +.B \-\-auth\-gen\-token +feature is to be considered a workaround for authentication +scripts or plug\-ins not providing proper +.B auth\-token +support. The +.B auth\-token +feature is most commonly needed when deploying two factor +authentications, such as One Time Password (OTP) based +authentication. Proper authentication scripts/plug\-ins should +implement support for generating, sending and verifying +.B auth\-token +values sent to successfully authenticated clients, and particularly +when OTP authentication is required. + +See also +.B \-\-auth\-token +for more details. .\"********************************************************* .TP .B \-\-opt\-verify @@ -5291,6 +5306,15 @@ OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides a possibility to replace the clients password with an authentication token during the lifetime of the OpenVPN client. +.B BEWARE: +Clients which has received an +.B auth\-token +will be using this value as the password on each renegotiation and +reconnection to the server until it stops running. If the server +has invalidated the +.B auth\-token +since the last authentication, the client will be disconnected. + Whenever the connection is renegotiated and the .B \-\-auth\-user\-pass\-verify script or