From patchwork Mon Jan 25 01:56:28 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1573 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.53]) by backend30.mail.ord1d.rsapps.net with LMTP id IAaaEj7ADmDzLgAAIUCqbw (envelope-from ) for ; Mon, 25 Jan 2021 07:57:34 -0500 Received: from proxy13.mail.iad3a.rsapps.net ([172.27.255.53]) by director12.mail.ord1d.rsapps.net with LMTP id YP12Ej7ADmAvbAAAIasKDg (envelope-from ) for ; Mon, 25 Jan 2021 07:57:34 -0500 Received: from smtp31.gate.iad3a ([172.27.255.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3a.rsapps.net with LMTPS id 0F7oCz7ADmCTDAAAwhxzoA (envelope-from ) for ; Mon, 25 Jan 2021 07:57:34 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp31.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e3c12208-5f0c-11eb-8147-5254003d9392-1-1 Received: from [216.105.38.7] ([216.105.38.7:37012] helo=lists.sourceforge.net) by smtp31.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 82/78-05487-D30CE006; Mon, 25 Jan 2021 07:57:33 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1l41QR-0001n3-Eb; Mon, 25 Jan 2021 12:56:59 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1l41QF-0001m7-2q for openvpn-devel@lists.sourceforge.net; Mon, 25 Jan 2021 12:56:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AaLExEK5DruN9bLqioAKMTDMdwnBzMOjlLsbchqmC+U=; b=W+/Od0Gl028I7uR0XFjoHFXT2s /zQAalthbyW35VPgsLIWHqkeST/1189rt1vBeWKfqPOHb3b0x4iV/khIgn9WGqLCXYEHl8sk3raeo AOzy+xrkBDyiS0cE1b3ElJtqdS79xinB3REPTGhDqm0RP2G/HY7GpYQqI31SKYuQ1oz4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AaLExEK5DruN9bLqioAKMTDMdwnBzMOjlLsbchqmC+U=; b=Sm+TOyWo3vIvz3QenArjEc0Bwu l94Y2xzjzFhbCU5+Q/CP7G/kPiLqXJ+QLaZCPsmFdBe6Ml+Pp0cjzifjrm/LMvI5j8o0niSM/R4UW IYVRuPsc2eXMDxp0DrytsYWkjwSR58Gf4Uig+1Rgpj6rA2H55eKSuC4Ti78xwlFazKxk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1l41QB-006gWw-9K for openvpn-devel@lists.sourceforge.net; Mon, 25 Jan 2021 12:56:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1l41Px-0007XL-Fg for openvpn-devel@lists.sourceforge.net; Mon, 25 Jan 2021 13:56:29 +0100 Received: (nullmailer pid 30441 invoked by uid 10006); Mon, 25 Jan 2021 12:56:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 25 Jan 2021 13:56:28 +0100 Message-Id: <20210125125628.30364-12-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210125125628.30364-1-arne@rfc2549.org> References: <20210125125628.30364-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1l41QB-006gWw-9K Subject: [Openvpn-devel] [PATCH v2 11/11] Add example script demonstrating TOTP via auth-pending X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe --- Changes.rst | 9 +++ doc/man-sections/script-options.rst | 3 + sample/sample-scripts/totpauth.py | 107 ++++++++++++++++++++++++++++ 3 files changed, 119 insertions(+) create mode 100755 sample/sample-scripts/totpauth.py diff --git a/Changes.rst b/Changes.rst index 188bd8ab..d64c6d83 100644 --- a/Changes.rst +++ b/Changes.rst @@ -19,6 +19,15 @@ Pending auth support for plugins and scripts be used to parse a client response to a ``CR_TEXT`` two factor challenge. See ``sample/sample-scripts/totpauth.py`` for an example. +<<<<<<< HEAD +======= + +Deprecated features +------------------- +``inetd`` has been removed + This was a very limited and not-well-tested way to run OpenVPN, on TCP + and TAP mode only. +>>>>>>> 239e8cfd (Add example script demonstrating TOTP via auth-pending) Overview of changes in 2.5 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 1d7118ae..05815020 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -147,6 +147,9 @@ SCRIPT HOOKS :code:`auth_control_file or further defer it. See ``--auth-user-pass-verify`` for details. + For a sample script that implement TOTP (RFC 6238) based two-factor + authentication, see :code:`sample-scripts/totp.py`. + --client-connect cmd Run command ``cmd`` on client connection. diff --git a/sample/sample-scripts/totpauth.py b/sample/sample-scripts/totpauth.py new file mode 100755 index 00000000..95ac3529 --- /dev/null +++ b/sample/sample-scripts/totpauth.py @@ -0,0 +1,107 @@ +#! /usr/bin/python3 +# Copyright (c) 2020 OpenVPN Inc +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +import sys +import os +from base64 import standard_b64decode + +import pyotp + +import pprint + +# Example script demonstrating how to use the auth-pending API in +# OpenVPN. This script is provided under MIT license to allow easy +# modification for other purposes. +# +# To use this script add the following lines in the openvpn config + +# client-crresponse /path/to/totpauth.py +# auth-user-pass-verify /path/to/totpauth.py via-file +# auth-user-pass-optional +# auth-gen-token + +# Note that this script does NOT verify username/password +# It is only meant for querying additional 2FA when certificates are +# used to authenticate + +secrets = {"styx": "OS6JDNRK2BNUPQVX", + "apate": "IXWEMP7SK2QWSHTG"} + + +def main(): + # Get common name and script type from environment + script_type = os.environ['script_type'] + cn = os.environ['common_name'] + + if script_type == 'user-pass-verify': + # signal text based challenge response + + if cn in secrets: + extra = "CR_TEXT:E,R:Please enter your TOTP code!" + write_auth_pending(300, 'crtext', extra) + + # Signal authentication being deferred + sys.exit(2) + else: + # For unkown CN we report failure. Change to 0 + # to allow CNs without secret to auth without 2FA + sys.exit(1) + + elif script_type == 'client-crresponse': + response = None + + # Read the crresponse from the argument file + # and convert it into text. A failure because of bad user + # input (e.g. invalid base64) will make the script throw + # an error and make OpenVPN return AUTH_FAILED + with open(sys.argv[1], 'r') as crinput: + response = crinput.read() + response = standard_b64decode(response) + response = response.decode().strip() + + if cn not in secrets: + write_auth_control(1) + return + + totp = pyotp.TOTP(secrets[cn]) + + # Check if the code is valid (and also allow code +/-1) + if totp.verify(response, valid_window=1): + write_auth_control(1) + else: + write_auth_control(0) + else: + print(f"Unknown script type {script_type}") + sys.exit(1) + + +def write_auth_control(status): + with open(os.environ['auth_control_file'], 'w') as auth_control: + auth_control.write("%d" % status) + + +def write_auth_pending(timeout, method, extra): + with open(os.environ['auth_pending_file'], 'w') as auth_pending: + auth_pending.write("%d\n%s\n%s" % (timeout, method, extra)) + + +if __name__ == '__main__': + main()