Hi, On Tue, Jul 24, 2018 at 10:34:53PM -0400, selva.n...@gmail.com wrote: > From: Selva Nair <selva.n...@gmail.com> > > If static challenge is in use, the password passed to the plugin by openvpn > is of the form "SCRV1:base64-pass:base64-response". Parse this string to > separate it into password and response and use them to respond to queries > in the pam conversation function. > > On the plugin parameters line the substitution keyword for the static > challenge response is "OTP". For example, for pam config named "test" that > prompts for "user", "password" and "pin", use > > plugin openvpn-auth-pam.so "test user USERNAME password PASSWORD pin OTP" > > Signed-off-by: Selva Nair <selva.n...@gmail.com> > > --- > v2: Depends on the base64 export patch > v3: match password string with "SCRV1:" instead of "SCRV1" > (pointed out by Joe Bell <joeainte...@gmail.com>)
Nicely works and does what it says on the lid. So...
Acked-By: Gert Doering <g...@greenie.muc.de>
I've tried to make it work for our use case, but in combination with
pam_auth_linotp, it actually doesn't work - the latter wants
pin+otp to be "one string" (to be parsed by the server), so there
is no separate "OTP" challenge.
I've made it work by hacking a "combine password+otp together"
substitution
+ else if (strstr(match_value, "PASS+OTP"))
+ {
+ char temp[100];
+ snprintf( temp, sizeof(temp), "%s%s", up->password,
up->response );
+ aresp[i].resp = searchandreplace(match_value,
"PASS+OTP", temp);
+ }
... but that's not exactly pretty. It works, though :-)
Plugin logging is also something we should improve. The current approach
"just log to stderr" is failing if the main openvpn process is started
by init/rc and stderr is not available... we have logging functions
in the v3 api nowadays, so maybe we should use them :-)
*
* plugin_log
* plugin_vlog : Use these functions to add information to the OpenVPN log file.
* Messages will only be displayed if the plugin_name parameter
* is set. PLOG_DEBUG messages will only be displayed with plug-in
* debug log verbosity (at the time of writing that's verb >= 7).
There's another catch which we might want to at least document: if you
build this plugin and run it from a slightly older openvpn binary which
doesn't export the base64 functions, it will core dump most ungraciously
Aug 7 20:17:19 openvpn-tcp kernel: pid 49459 (openvpn), uid 0: exited on
signal 11 (core dumped)
(unsurprisingly, jumping over an uninitialized function pointer)
So, shall we bump the plugin API version "with base64" to 5, and change
this plugin to actually check it?
(Applying it anyway, because this can all be addressed in a subsequent
patch)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
