From patchwork Sun Aug 1 23:52:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1899 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id YBjBOavAB2FFDAAAIUCqbw (envelope-from ) for ; Mon, 02 Aug 2021 05:53:47 -0400 Received: from proxy6.mail.ord1c.rsapps.net ([172.28.255.1]) by director14.mail.ord1d.rsapps.net with LMTP id aHmAOavAB2EUFwAAeJ7fFg (envelope-from ) for ; Mon, 02 Aug 2021 05:53:47 -0400 Received: from smtp33.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1c.rsapps.net with LMTPS id YOQiOavAB2G3TQAA9sKXow (envelope-from ) for ; Mon, 02 Aug 2021 05:53:47 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp33.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 87bcff36-f377-11eb-9b8e-54520067fec4-1-1 Received: from [216.105.38.7] ([216.105.38.7:45172] helo=lists.sourceforge.net) by smtp33.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 46/39-01219-BA0C7016; Mon, 02 Aug 2021 05:53:47 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mAUci-0002tQ-2V; Mon, 02 Aug 2021 09:52:40 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mAUce-0002ru-7e for openvpn-devel@lists.sourceforge.net; Mon, 02 Aug 2021 09:52:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=mXb54kFu/qKaG84Xv5xFBTupl7ChQJx35DdaPHl8SGY=; b=SYyINPFPysF+4YZhB6tOVfgrSg UgEkm6qhCP/Mtuj0gg4GfSCe7v9kz99Yv8iwpMZ07g68MP6k+7jKCKI4d2okc6tZVEmajV/npfgQb hpsnM7Ja5d1b7QI+o1ObL4lCSALywK/Xb0T7KezDwSj0gg53xA9nFH2ZwBEFhZThvtJY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=mXb54kFu/qKaG84Xv5xFBTupl7ChQJx35DdaPHl8SGY=; b=U uT1kvwVlfJHWKHY9/eqF0kxce+qBFmH/HacyMnJqm/x5Y3tARCY5ePAwUJofmeOk7pM6SAwbTKYpW iweGp9IG4NbTlFpKJwUmkyeWRmr1uPv+RakY8SDOBLBc5L175PJP4Nz9CA4y7KvF1MBefRGL1QvfG dLpADthW2PuBb/Os=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mAUcQ-0006V3-K1 for openvpn-devel@lists.sourceforge.net; Mon, 02 Aug 2021 09:52:31 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mAUcE-000B7z-UX for openvpn-devel@lists.sourceforge.net; Mon, 02 Aug 2021 11:52:10 +0200 Received: (nullmailer pid 693846 invoked by uid 10006); Mon, 02 Aug 2021 09:52:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 2 Aug 2021 11:52:11 +0200 Message-Id: <20210802095211.693800-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1mAUcQ-0006V3-K1 Subject: [Openvpn-devel] [PATCH v3] Add example script demonstrating TOTP via auth-pending X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Patch v3: Some minor cleanups in the script (rename CNs, add more comments) Signed-off-by: Arne Schwabe --- doc/man-sections/script-options.rst | 3 + sample/sample-scripts/totpauth.py | 111 ++++++++++++++++++++++++++++ 2 files changed, 114 insertions(+) create mode 100755 sample/sample-scripts/totpauth.py diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index f48e5818d..6517f8474 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -147,6 +147,9 @@ SCRIPT HOOKS :code:`auth_control_file or further defer it. See ``--auth-user-pass-verify`` for details. + For a sample script that implement TOTP (RFC 6238) based two-factor + authentication, see :code:`sample-scripts/totp.py`. + --client-connect cmd Run command ``cmd`` on client connection. diff --git a/sample/sample-scripts/totpauth.py b/sample/sample-scripts/totpauth.py new file mode 100755 index 000000000..2991d6590 --- /dev/null +++ b/sample/sample-scripts/totpauth.py @@ -0,0 +1,111 @@ +#! /usr/bin/python3 +# Copyright (c) 2021 OpenVPN Inc +# Copyright (c) 2021 Arne Schwabe +# +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. +# +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +import sys +import os +from base64 import standard_b64decode + +import pyotp + +# Example script demonstrating how to use the auth-pending API in +# OpenVPN. This script is provided under MIT license to allow easy +# modification for other purposes. +# +# This needs support of crtext support on the client (e.g. OpenVPN for Android) +# See also the management-notes.txt file for more information about the auth pending +# protocol +# +# To use this script add the following lines in the openvpn config + +# client-crresponse /path/to/totpauth.py +# auth-user-pass-verify /path/to/totpauth.py via-file +# auth-user-pass-optional +# auth-gen-token + +# Note that this script does NOT verify username/password +# It is only meant for querying additional 2FA when certificates are +# used to authenticate + + +# For this demo script we hardcode the TOTP secrets in a simple dictionary. +secrets = {"Test-Client": "OS6JDNRK2BNUPQVX", + "Client-2": "IXWEMP7SK2QWSHTG"} + + +def main(): + # Get common name and script type from environment + script_type = os.environ['script_type'] + cn = os.environ['common_name'] + + if script_type == 'user-pass-verify': + # signal text based challenge response + if cn in secrets: + extra = "CR_TEXT:E,R:Please enter your TOTP code!" + write_auth_pending(300, 'crtext', extra) + + # Signal authentication being deferred + sys.exit(2) + else: + # For unknown CN we report failure. Change to 0 + # to allow CNs without secret to auth without 2FA + sys.exit(1) + + elif script_type == 'client-crresponse': + response = None + + # Read the crresponse from the argument file + # and convert it into text. A failure because of bad user + # input (e.g. invalid base64) will make the script throw + # an error and make OpenVPN return AUTH_FAILED + with open(sys.argv[1], 'r') as crinput: + response = crinput.read() + response = standard_b64decode(response) + response = response.decode().strip() + + if cn not in secrets: + write_auth_control(1) + return + + totp = pyotp.TOTP(secrets[cn]) + + # Check if the code is valid (and also allow code +/-1) + if totp.verify(response, valid_window=1): + write_auth_control(1) + else: + write_auth_control(0) + else: + print(f"Unknown script type {script_type}") + sys.exit(1) + + +def write_auth_control(status): + with open(os.environ['auth_control_file'], 'w') as auth_control: + auth_control.write("%d" % status) + + +def write_auth_pending(timeout, method, extra): + with open(os.environ['auth_pending_file'], 'w') as auth_pending: + auth_pending.write("%d\n%s\n%s" % (timeout, method, extra)) + + +if __name__ == '__main__': + main()