Hi, Thanks for documenting this.
On Thu, Aug 25, 2016 at 1:32 PM, David Sommerseth <dav...@openvpn.net> wrote: > .\"********************************************************* > .TP > +.B \-\-auth\-token token > +This is not an option to be used directly in any configuration files, > +but rather push this option from a > +.B \-\-client\-connect > +script or a > +.B \-\-plugin > +which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or > +OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides > +a possibility to replace the clients password with a temporary > +authentication token. > + > +Whenever the connection is renegotiated and the > +\-\-auth\-user\-pass\-verify > To be consistent, that would be ".B \-\-auth\-user\-pass\-verify" +script or > +\-\-plugin > same here and a couple of instances below. > +making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is > +triggered, it will then pass over this token as the password > +instead of the password the user provided. > Based on some quick checks it seems the token is passed as password not just during reneg or after a SIGUSR1 but even after a SIGHUP. It would be useful to clarify if/when the token gets cleared so that username/password prompt will happen again at client-side. It also helps a script/plugin developer to know when to reset the token and expect the usual password. + > +The purpose of this is to enable two factor authentication > +methods, such as HOTP or TOTP, to be used without needing to > +retrieve a new OTP code each time the connection is renegotiated. > +Another use case is to cache authentication data on the client > +without needing to have the users password cached in memory > +during the life time of the session. > + > +To make use of this feature, the > +\-\-client\-connect > .B ... > +script or > +\-\-plugin > .B ... > +needs to put > + > +.nf > +.ft 3 > +.in +4 > +push "auth-token UNIQUE_TOKEN_VALUE" > +.in -4 > +.ft > +.fi > + > +into the file/buffer for dynamic configuration data. This > +will then make the OpenVPN server to push this value to the > +client, which replaces the local password with the > +UNIQUE_TOKEN_VALUE. > +.\"********************************************************* > +.TP > .B \-\-tls\-verify cmd > Run command > .B cmd Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
