On 25/08/16 15:45, David Sommerseth wrote:
> Hi,
> What the patch-set does is:
> - Add --auth-gen-token, and when used the following steps happens
> - After a successful normal user/password authentication, it will 
> generate a random token for this tunnel and keep a local copy of
> it. This token is currently set to 256 bits (32 bytes).
> - It will push 'auth-token $RANDOM_TOKEN_VALUE'.  The 
> $RANDOM_TOKEN_VALUE sent to the client is BASE64 encoded.
> - When a re-authentication happens, and the server sees it have a
> token and the token have been sent to the client, it does an 
> authentication of the token alone.  Any --auth-user-pass-verify or 
> --plugins enabling OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY will not be
> called at this point.  On successful token authentication, 
> everything continues as before.  On failure the session is
> considered un-authenticated and a complete new authentication round
> is required.
> If --auth-gen-token is NOT used, OpenVPN will behave as before.
> The patch-set can be found here: 
> <https://gitlab.com/dazo/openvpn/compare/master...dev%2Fauth-gen-token>
>  And the git tree can be found here: 
> <https://gitlab.com/dazo/openvpn.git> (Check out the
> dev/auth-gen-token branch)

I've spent some time improving these patches with the input from
Selva, Jens, Steffan and Gert.

- The dev/auth-gen-token branch have been updated to latest master

- Properly clear the auth_token from memory before free()ing it
  Add memset() before clearing the token from memory

- Add additional check that the user name has not changed...
  Check with tls_lock_username() which verifies username is the same.

- Properly de-authenticate the TLS connection on auth-token failures
  Call tls_deauthenticate() on authentication failures.  This triggers
  connected client with failure to disconnect properly.

- Enhance option parsing for --auth-gen-token
  ~ Dump the auth_generate_token flag on --verb 4 and higher
  ~ Ensure --auth-gen-token cannot be used in any of the client modes

- Mask/hide generated tokens unless verbose/debug level is >= 7
  It was considered that this information is valuable during debugging,
  but otherwise it can be hidden.

- Implement optional auth token lifetime for generated token
  This allows an auth-token to only be valid for a certain time period

- man-page: Document the --auth-gen-token feature

Everything can be found here:
(in the dev/auth-gen-token branch)

Unless the feedback requires more work, I'll squash them a bit and
submitt them to the mailing list now.  General testing looks good so far.

kind regards,

David Sommerseth
OpenVPN Technologies, Inc

Attachment: signature.asc
Description: OpenPGP digital signature

Openvpn-devel mailing list

Reply via email to