This sets the flag if the OpenVPN server should create authentication
tokens on-the-fly on successful --auth-user-pass-verify or --plugin with

If an OpenVPN server is running without this option, it should behave
as before.  Next patches will implement the auth-token generation and
passing it on to the clients.

The --auth-gen-token can be given an optional integer argument which
defines the lifetime of generated tokens.  The lifetime argument
must be given in number of seconds.

Signed-off-by: David Sommerseth <>
 doc/openvpn.8            | 16 ++++++++++++++++
 src/openvpn/init.c       |  2 ++
 src/openvpn/options.c    | 16 ++++++++++++++++
 src/openvpn/options.h    |  2 ++
 src/openvpn/ssl_common.h |  3 +++
 5 files changed, 39 insertions(+)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 1c341ae..521bd9b 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3595,6 +3595,22 @@ For a sample script that performs PAM authentication, see
 in the OpenVPN source distribution.
+.B \-\-auth\-gen\-token [lifetime]
+After successful user/password authentication, the OpenVPN
+server will with this option generate a temporary
+authentication token and push that to client.  On the following
+renegotiations, the OpenVPN client will pass this token instead
+of the users password.  On the server side the server will do
+the token authentication internally and it will NOT do any
+additional authentications against configured external
+user/password authentication mechanisms.
+This feature is useful for environments which is configured
+to use One Time Passwords (OTP) as part of the user/password
+authentications and that authentication mechanism does not
+implement any auth-token support.
 .B \-\-opt\-verify
 Clients that connect with options that are incompatible
 with those of the server will be disconnected.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index cc8e945..5a8cb1f 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2427,6 +2427,8 @@ do_init_crypto_tls (struct context *c, const unsigned int 
   if (options->ccd_exclusive)
     to.client_config_dir_exclusive = options->client_config_dir;
   to.auth_user_pass_file = options->auth_user_pass_file;
+  to.auth_generate_token = options->auth_generate_token;
+  to.auth_token_lifetime = options->auth_token_lifetime;
   to.x509_track = options->x509_track;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1ed14b0..1037619 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -445,6 +445,11 @@ static const char usage_message[] =
   "                  run command cmd to verify.  If method='via-env', pass\n"
   "                  user/pass via environment, if method='via-file', pass\n"
   "                  user/pass via temporary file.\n"
+  "--auth-gen-token  [lifetime] Generate a random authentication token which 
is pushed\n"
+  "                  to each client, replacing the password.  Usefull when\n"
+  "                  OTP based two-factor auth mechanisms are in use and\n"
+  "                  --reneg-* options are enabled. Optionally a lifetime in 
+  "                  for generated tokens can be set.\n"
   "--opt-verify    : Clients that connect with options that are incompatible\n"
   "                  with those of the server will be disconnected.\n"
   "--auth-user-pass-optional : Allow connections by clients that don't\n"
@@ -864,6 +869,7 @@ init_options (struct options *o, const bool init_gc)
 #ifdef ENABLE_PKCS11
   o->pkcs11_pin_cache_period = -1;
 #endif                 /* ENABLE_PKCS11 */
+  o->auth_generate_token = false;
 /* tmp is only used in P2MP server context */
@@ -1264,6 +1270,8 @@ show_p2mp_parms (const struct options *o)
   SHOW_INT (max_routes_per_client);
   SHOW_STR (auth_user_pass_verify_script);
   SHOW_BOOL (auth_user_pass_verify_script_via_file);
+  SHOW_BOOL (auth_generate_token);
+  SHOW_INT (auth_token_lifetime);
   SHOW_STR (port_share_host);
   SHOW_STR (port_share_port);
@@ -2194,6 +2202,8 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
              "tcp-nodelay in the server configuration instead.");
       if (options->auth_user_pass_verify_script)
        msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
+      if (options->auth_generate_token)
+       msg (M_USAGE, "--auth-gen-token requires --mode server");
       if (options->port_share_host || options->port_share_port)
        msg (M_USAGE, "--port-share requires TCP server mode (--mode server 
--proto tcp-server)");
@@ -5973,6 +5983,12 @@ add_option (struct options *options,
                       p[1], "auth-user-pass-verify", true);
+  else if (streq (p[0], "auth-gen-token"))
+    {
+      options->auth_generate_token = true;
+      options->auth_token_lifetime = p[1] ? positive_atoi (p[1]) : 0;
+    }
   else if (streq (p[0], "client-connect") && p[1])
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 9b7b57c..d259df7 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -443,6 +443,8 @@ struct options
   const char *auth_user_pass_verify_script;
   bool auth_user_pass_verify_script_via_file;
+  bool auth_generate_token;
+  unsigned int auth_token_lifetime;
   char *port_share_host;
   char *port_share_port;
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index eb2ad6f..60121db 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -289,6 +289,9 @@ struct tls_options
   bool auth_user_pass_verify_script_via_file;
   const char *tmp_dir;
   const char *auth_user_pass_file;
+  bool auth_generate_token;     /**< Generate auth-tokens on successful 
user/pass auth,
+                                 *   set via options->auth_generate_token. */
+  unsigned int auth_token_lifetime;
   /* use the client-config-dir as a positive authenticator */
   const char *client_config_dir_exclusive;

Check out the vibrant tech community on one of the world's most 
engaging tech sites,!
Openvpn-devel mailing list

Reply via email to