On Thursday, 15 June 2017 1:13:16 AM AEST Steven Haigh wrote: > On Thursday, 15 June 2017 12:42:53 AM AEST Selva Nair wrote: > > On Wed, Jun 14, 2017 at 9:32 AM, Steven Haigh <[email protected]> wrote: > > > script-security 2 > > > client-connect /etc/openvpn/yubikey-auth-tokens > > > auth-user-pass-verify /etc/openvpn/yubikey-auth-tokens via-file > > > client-cert-not-required > > > username-as-common-name > > > > Why the last two entries? client-cert-not-required is not something one > > should encourage users to do. Apart from that yubikey verification may > > have > > to be done asynchronously (using deferred auth), else connections to all > > clients will stall during each verification which may take some time. > > In my setup, I use username + OTP. I don't provide a client cert to each > client. > > I wonder if I could use $ENV{'username'} in client-connect instead to make > this a little more consistent. This would remove the need to 'username-as- > common-name' to be set. > > How would a client cert as well as username/OTP affect this flow? Is that > expected to be verified by client-connect or another script? or is the cert > validation done elsewhere - by openvpn in this case I guess? > > (apologies, mail client fat finger - I sent this reply to openvpn-users > first time around!)
Ok - in reviewing this, I've removed the use of the username in the first part of the token as generated in the 'client-connect' portion of the script. As we don't get a username in the client-connect, I've added a 64 char random string to the first part of the token. While this doesn't help crypto wise - it assists in making it a little more difficult to predict. The driving part behind this is to try and not have a static preset key used in the generation of the auth-token. Instead, we use system specific and connection specific things instead. The up-shot of this is that it removes the need to use the 'username-as- common-name' directive in the server config. It would then be up to the server operator if they wished to use client-cert- not-required and just utilise username + OTP or issue client certs and use cert + username + OTP. I'll post a v2 of this script when the client side issues are taken care of within openvpn for auth-tokens and am able to test the full loop around. -- Steven Haigh 📧 [email protected] 💻 http://www.crc.id.au 📞 +61 (3) 9001 6090 📱 0412 935 897
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
