This new feature enables re-authentication of on-going sessions without
asking the user for a new password.  This is in particular useful when
the authentication scheme is based on One Time Passwords (OTP).

When OTP is used and without auth-token support in the authentication module
OpenVPN is configured to use, the clients will be asked for a new OTP each
time OpenVPN starts a re-negotiation.  What often happens is that this
re-negotiation is disabled to avoid this.

OpenVPN does provide a remedy to this, by pushing a unique auth-token value
to each client.  Then the authentication module needs to keep track of which
client is using which auth-token value.  When a client receives the pushed
auth-token option and the attached value, it replaces the locally saved
password with this token value.  So for all coming re-authentications, the
client will send this value as the password instead of the users password.

But not all authentication modules adds support for this feature.  By adding
--auth-gen-token to the server configuration, the OpenVPN server will take
care of the auth-token processing and authentication.  This also means that
the server will not call the configured authentication module on
re-negotiations; it will do the re-negotiation internally by itself.

This feature may just as well be useful for non-OTP configurations as well.
Unless the OpenVPN client is configured with --auth-nocache, it will save
the users password in-memory for the lifetime of the OpenVPN session.  Using
this feature that password will be replaced by the auth-token instead.

The patch-set this thread covers focuses only on this new --auth-gen-token
feature.  The --auth-token option added to OpenVPN 2.3, but never properly
documented.  The --auth-token documentation is tracked in this mail thread:

One remark regarding PATCH 1/5.  This patch is needed by PATCH 5/5.  I just
chose to split it out as a separate patch to make the core auth-gen-token
patches easier to review.  This patch can be moved anywhere before PATCH 5/5
or squashed into PATCH 5/5 if that is requested.

David Sommerseth (5):
  Move memcmp_constant_time() to crypto.h
  auth-gen-token: Add --auth-gen-token option
  auth-gen-token: Generate an auth-token per client
  auth-gen-token: Push generated auth-tokens to the client
  auth-gen-token: Authenticate generated auth-tokens when client

 doc/openvpn.8            | 16 ++++++++++
 src/openvpn/crypto.c     | 18 -----------
 src/openvpn/crypto.h     | 18 +++++++++++
 src/openvpn/init.c       |  2 ++
 src/openvpn/misc.c       |  5 +++
 src/openvpn/options.c    | 16 ++++++++++
 src/openvpn/options.h    |  2 ++
 src/openvpn/push.c       |  9 +++++-
 src/openvpn/ssl.c        |  6 ++++
 src/openvpn/ssl_common.h | 11 +++++++
 src/openvpn/ssl_verify.c | 83 ++++++++++++++++++++++++++++++++++++++++++++++++
 11 files changed, 167 insertions(+), 19 deletions(-)


Check out the vibrant tech community on one of the world's most 
engaging tech sites,!
Openvpn-devel mailing list

Reply via email to