On 25/08/16 15:45, David Sommerseth wrote: > > Hi, > [...snip...] > > What the patch-set does is: > > - Add --auth-gen-token, and when used the following steps happens > > - After a successful normal user/password authentication, it will > generate a random token for this tunnel and keep a local copy of > it. This token is currently set to 256 bits (32 bytes). > > - It will push 'auth-token $RANDOM_TOKEN_VALUE'. The > $RANDOM_TOKEN_VALUE sent to the client is BASE64 encoded. > > - When a re-authentication happens, and the server sees it have a > token and the token have been sent to the client, it does an > authentication of the token alone. Any --auth-user-pass-verify or > --plugins enabling OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY will not be > called at this point. On successful token authentication, > everything continues as before. On failure the session is > considered un-authenticated and a complete new authentication round > is required. > > If --auth-gen-token is NOT used, OpenVPN will behave as before. > > The patch-set can be found here: > <https://gitlab.com/dazo/openvpn/compare/master...dev%2Fauth-gen-token> > > And the git tree can be found here: > <https://gitlab.com/dazo/openvpn.git> (Check out the > dev/auth-gen-token branch)
I've spent some time improving these patches with the input from Selva, Jens, Steffan and Gert. - The dev/auth-gen-token branch have been updated to latest master - Properly clear the auth_token from memory before free()ing it Add memset() before clearing the token from memory - Add additional check that the user name has not changed... Check with tls_lock_username() which verifies username is the same. - Properly de-authenticate the TLS connection on auth-token failures Call tls_deauthenticate() on authentication failures. This triggers connected client with failure to disconnect properly. - Enhance option parsing for --auth-gen-token ~ Require OPT_P_GENERAL_FLAGS ~ Dump the auth_generate_token flag on --verb 4 and higher ~ Ensure --auth-gen-token cannot be used in any of the client modes - Mask/hide generated tokens unless verbose/debug level is >= 7 It was considered that this information is valuable during debugging, but otherwise it can be hidden. - Implement optional auth token lifetime for generated token This allows an auth-token to only be valid for a certain time period - man-page: Document the --auth-gen-token feature Everything can be found here: <https://gitlab.com/dazo/openvpn/commits/dev/auth-gen-token> (in the dev/auth-gen-token branch) Unless the feedback requires more work, I'll squash them a bit and submitt them to the mailing list now. General testing looks good so far. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel