Hi, On Thu, Jun 15, 2017 at 12:50:40PM +1000, Steven Haigh wrote: > I'm just trying to figure out if its expected behaviour to have the > 'username' set in the environment when using the auth-user-pass-verify > script.
The code in question (ssl_verify.c) is older than the involvement of
any of the currently-active developers... but JJK or Ecrist might know.
Anyway, what the code *says* is:
ssl_verify.c, about line 1095:
verify_user_pass_script(...)
{
...
/* Set environmental variables prior to calling script */
if (session->opt->auth_user_pass_verify_script_via_file)
{
... (no setenv here)
}
else
{
setenv_str(session->opt->es, "username", up->username);
setenv_str(session->opt->es, "password", up->password);
}
so, yes, that is what it *does* - "username" is only ever set together
with "password", and that's only setenv'ed if you do not use "via-file".
Now, that is about calling the --verify-auth-user-pass, but I think the
"es" (environment set) being affected here is the global per-connection
es (not something local to this function), so that would affect
--client-connect as well.
[..]
> The auth-user-pass-verify documentation states:
> If method is set to "via-env", OpenVPN will call script with the
> environmental variables username and password set to the
> username/password strings provided by the client. Be aware that this
> method is insecure on some platforms which make the environment of a
> process publicly visible to other unprivileged processes.
This "some platforms" actually something we should eventually verify
and clearly spell-out - because Linux and all recent BSDs do *not* show
the environment to other unprivileged users.
[..]
> No mention of the username env variable when using via-file - but this
> gives me the impression that the username should *not* be set in the
> environment - but it should be in the file.
>
> So - bug or feature?
Username and Password are always handled in tandem when talking about
--auth-user-pass-verify, so "both in environment" or "none of them".
Now, if you use a *plugin* (or the management interface), the code will
always set both in the es, and delete the password(!) afterwards, leaving
the username intact...
Looking from a given distance, I'd say that this is a bug, and "username"
should propably be always visible in the es (if present), while password
should not.
If you want to experiment: go to ssl_verify.c, and move the line 1123
(master) outside the else {} block:
old:
else
{
setenv_str(session->opt->es, "username", up->username);
setenv_str(session->opt->es, "password", up->password);
}
new:
else
{
setenv_str(session->opt->es, "password", up->password);
}
setenv_str(session->opt->es, "username", up->username);
... then it should show up in client-connect as well.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
