Hi Simon, Really great to see all your patches! Thanks a lot!
On 11/10/17 15:45, si...@rozman.si wrote: > From: Simon Rozman <si...@rozman.si> > > Authentication tokens are security enhancement eliminating client > need to cache passwords, and are indispensable at two factor > authentication methods, such as HOTP or TOTP. > > The ">PASSWORD:Auth-Token" message was not mentioned anywhere in > the OpenVPN Management Interface Notes. This patch adds a simple use > case example, while the more detailed feature description remains > explained in the OpenVPN manual. > --- > doc/management-notes.txt | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/doc/management-notes.txt b/doc/management-notes.txt > index 0e7a7d4..c31ff5c 100644 > --- a/doc/management-notes.txt > +++ b/doc/management-notes.txt > @@ -317,6 +317,13 @@ COMMAND -- password and username > > >PASSWORD:Verification Failed: 'custom server-generated string' > > + Example 6: If server pushes --auth-token to the client, the OpenVPN > + will produce a real-time PASSWORD message: > + > + >PASSWORD:Auth-Token:foobar > + > + The client should replace the local password with the "foobar". > + This area is part of the code I've been involved with fairly recently. You are not incorrect, and this was the behaviour until we released OpenVPN 2.4.4. As of v2.4.4, the >PASSWORD: line will be sent to the management interface, but the code which implements usage of the management interface can basically ignore it. The caching of the token is now handled properly by the OpenVPN core, also if you are using --auth-nocache in the client config. (Quick remark, it seems we did not fix this issue in v2.3 at all, it only have a partial fix but is lacking a backport of commit 3322c558fa7) We might actually consider to remove the >PASSWORD: response in the future. I can give this patch an ACK if we just remove the line about "replacing the local password". For me, that can be done on-the-fly on commit time in this case. -- kind regards, David Sommerseth OpenVPN, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
