Am 08.02.18 um 16:31 schrieb Selva Nair:
> Hi,
> 
> On Thu, Feb 8, 2018 at 7:20 AM, David Sommerseth
> <open...@sf.lists.topphemmelig.net> wrote:
>> On 08/02/18 04:36, Antonio Quartulli wrote:
>>>
>>>
>>> On 08/02/18 04:41, David Sommerseth wrote:
>>>> On 07/02/18 21:21, Selva Nair wrote:
>>>>
>>>>> In my view auth-token handling in openvpn.exe is broken at multiple 
>>>>> levels:
>>>>>
>>>>> Client process:
>>>>> (i) it should not remember the token after a reconnect is issued
>>>>
>>>> Agreed.  This should trigger retrieving new user input in regards to 
>>>> SIGHUP at
>>>> least.  Not sure yet about SIGUSR1 though.  SIGHUP has a cleared semantic
>>>> though (hang-up).
>>>
>>> I discussed this Arne as well as he also had users complaining about this.
>>>
>>> The conclusion we came was that it may be meaningful, upon reconnection,
>>> to try sending the token once (the token might be handled by external
>>> server side scripts and might still be alive, so one attempt is worth)
>>> and if it fails then we should dump the token, ask the user for the
>>> password and reconnect.
> 
> But this is the current behaviour, isn't it? So what's the difference?
> I think its wrong to reuse auth-token of one "connection"  in another
> one.  A client restart leads to a new connection and that should get a
> new token. Else a stolen token could be used in a new TLS session --
> may sound far-fetched as one also has to steal the private key, but as
> far as a user is concerned token is a place holder for their password
> and OTP. It should be reused only for reneg.
> 
> I think the correct and easy fix is to wipe the token on the client
> when it restarts by SIGUSR1 or SIGHUP.  If a server side script
> doesn't like it that script is anyway broken.

No it isn't. Current behaviour is to exit with AUTH_FAILED in that case.

And always forgetting it on SIGUSR1 with normal reconnect will
absolutely annoy users with mobile devices and otp password. Every roam
between wifi and mobile will then reask for the password. SOmething the
auth-token is designed to avoid.

Arne

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to