Re: [Openvpn-devel] [PATCH 2/5] auth-gen-token: Add --auth-gen-token option

Fri, 14 Oct 2016 01:46:11 -0700 


On 13-10-16 21:59, David Sommerseth wrote:
> This sets the flag if the OpenVPN server should create authentication
> tokens on-the-fly on successful --auth-user-pass-verify or --plugin with
> OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY processing.
> 
> If an OpenVPN server is running without this option, it should behave
> as before.  Next patches will implement the auth-token generation and
> passing it on to the clients.
> 
> The --auth-gen-token can be given an optional integer argument which
> defines the lifetime of generated tokens.  The lifetime argument
> must be given in number of seconds.
> 
> Signed-off-by: David Sommerseth <dav...@openvpn.net>
> ---
>  doc/openvpn.8            | 16 ++++++++++++++++
>  src/openvpn/init.c       |  2 ++
>  src/openvpn/options.c    | 16 ++++++++++++++++
>  src/openvpn/options.h    |  2 ++
>  src/openvpn/ssl_common.h |  3 +++
>  5 files changed, 39 insertions(+)
> 
> diff --git a/doc/openvpn.8 b/doc/openvpn.8
> index 1c341ae..521bd9b 100644
> --- a/doc/openvpn.8
> +++ b/doc/openvpn.8
> @@ -3595,6 +3595,22 @@ For a sample script that performs PAM authentication, 
> see
>  in the OpenVPN source distribution.
>  .\"*********************************************************
>  .TP
> +.B \-\-auth\-gen\-token [lifetime]
> +After successful user/password authentication, the OpenVPN
> +server will with this option generate a temporary
> +authentication token and push that to client.  On the following
> +renegotiations, the OpenVPN client will pass this token instead
> +of the users password.  On the server side the server will do
> +the token authentication internally and it will NOT do any
> +additional authentications against configured external
> +user/password authentication mechanisms.

This should mention that a lifetime of 0 indicates 'never expires'.

> +This feature is useful for environments which is configured
> +to use One Time Passwords (OTP) as part of the user/password
> +authentications and that authentication mechanism does not
> +implement any auth-token support.
> +.\"*********************************************************
> +.TP
>  .B \-\-opt\-verify
>  Clients that connect with options that are incompatible
>  with those of the server will be disconnected.
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index cc8e945..5a8cb1f 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -2427,6 +2427,8 @@ do_init_crypto_tls (struct context *c, const unsigned 
> int flags)
>    if (options->ccd_exclusive)
>      to.client_config_dir_exclusive = options->client_config_dir;
>    to.auth_user_pass_file = options->auth_user_pass_file;
> +  to.auth_generate_token = options->auth_generate_token;
> +  to.auth_token_lifetime = options->auth_token_lifetime;
>  #endif
>  
>    to.x509_track = options->x509_track;
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 1ed14b0..1037619 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -445,6 +445,11 @@ static const char usage_message[] =
>    "                  run command cmd to verify.  If method='via-env', pass\n"
>    "                  user/pass via environment, if method='via-file', pass\n"
>    "                  user/pass via temporary file.\n"
> +  "--auth-gen-token  [lifetime] Generate a random authentication token which 
> is pushed\n"
> +  "                  to each client, replacing the password.  Usefull when\n"
> +  "                  OTP based two-factor auth mechanisms are in use and\n"
> +  "                  --reneg-* options are enabled. Optionally a lifetime in 
> seconds\n"
> +  "                  for generated tokens can be set.\n"
>    "--opt-verify    : Clients that connect with options that are 
> incompatible\n"
>    "                  with those of the server will be disconnected.\n"
>    "--auth-user-pass-optional : Allow connections by clients that don't\n"
> @@ -864,6 +869,7 @@ init_options (struct options *o, const bool init_gc)
>  #ifdef ENABLE_PKCS11
>    o->pkcs11_pin_cache_period = -1;
>  #endif                       /* ENABLE_PKCS11 */
> +  o->auth_generate_token = false;
>  
>  /* tmp is only used in P2MP server context */
>  #if P2MP_SERVER
> @@ -1264,6 +1270,8 @@ show_p2mp_parms (const struct options *o)
>    SHOW_INT (max_routes_per_client);
>    SHOW_STR (auth_user_pass_verify_script);
>    SHOW_BOOL (auth_user_pass_verify_script_via_file);
> +  SHOW_BOOL (auth_generate_token);
> +  SHOW_INT (auth_token_lifetime);
>  #if PORT_SHARE
>    SHOW_STR (port_share_host);
>    SHOW_STR (port_share_port);
> @@ -2194,6 +2202,8 @@ options_postprocess_verify_ce (const struct options 
> *options, const struct conne
>               "tcp-nodelay in the server configuration instead.");
>        if (options->auth_user_pass_verify_script)
>       msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
> +      if (options->auth_generate_token)
> +     msg (M_USAGE, "--auth-gen-token requires --mode server");
>  #if PORT_SHARE
>        if (options->port_share_host || options->port_share_port)
>       msg (M_USAGE, "--port-share requires TCP server mode (--mode server 
> --proto tcp-server)");
> @@ -5973,6 +5983,12 @@ add_option (struct options *options,
>                      &options->auth_user_pass_verify_script,
>                      p[1], "auth-user-pass-verify", true);
>      }
> +  else if (streq (p[0], "auth-gen-token"))
> +    {
> +      VERIFY_PERMISSION (OPT_P_GENERAL);
> +      options->auth_generate_token = true;
> +      options->auth_token_lifetime = p[1] ? positive_atoi (p[1]) : 0;
> +    }
>    else if (streq (p[0], "client-connect") && p[1])
>      {
>        VERIFY_PERMISSION (OPT_P_SCRIPT);
> diff --git a/src/openvpn/options.h b/src/openvpn/options.h
> index 9b7b57c..d259df7 100644
> --- a/src/openvpn/options.h
> +++ b/src/openvpn/options.h
> @@ -443,6 +443,8 @@ struct options
>  
>    const char *auth_user_pass_verify_script;
>    bool auth_user_pass_verify_script_via_file;
> +  bool auth_generate_token;
> +  unsigned int auth_token_lifetime;

Since we're discussing naming stuff on IRC now anyway, I'd suggest to
give these strongly related variables a common auth_token_* prefix, e.g.
auth_token_generate and auth_token_lifetime.

>  #if PORT_SHARE
>    char *port_share_host;
>    char *port_share_port;
> diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
> index eb2ad6f..60121db 100644
> --- a/src/openvpn/ssl_common.h
> +++ b/src/openvpn/ssl_common.h
> @@ -289,6 +289,9 @@ struct tls_options
>    bool auth_user_pass_verify_script_via_file;
>    const char *tmp_dir;
>    const char *auth_user_pass_file;
> +  bool auth_generate_token;     /**< Generate auth-tokens on successful 
> user/pass auth,
> +                                 *   set via options->auth_generate_token. */
> +  unsigned int auth_token_lifetime;

Same as above :)

Other than that, patch looks good.  I do think it shouldn't be applied
until 3/5 to 5/5 are ready to be applied too.

-Steffan

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to