Re: [Openvpn-devel] [PATCH v3] Parse static challenge response in auth-pam plugin

Tue, 07 Aug 2018 14:02:55 -0700 

Hi,

On Tue, Aug 07, 2018 at 03:38:43PM -0400, Selva Nair wrote:
> > If I press return at the challenge prompt, it seems the SCRV1: string
> > is not formed the way the plugin wants it, and I end up with
> >
> >   pass=SCRV1%3AMTE5NQ%3D%3D
> 
> How to format this if response is empty is not clearly documented
> but my impression was that the second ':' (%3A) is required.
> 
> management-notes.txt specifies the format as
> 
> password "Auth" "SCRV1:<BASE64_PASSWORD>:<BASE64_RESPONSE>"

OK, so something is bugged, and it seems it's not the plugin.


> When password is read from stdin, its formatted as (from misc.c line 358)
> 
> buf_printf(&packed_resp, "SCRV1:%s:%s", pw64, resp64);
> 
> So that should also contain the second colon.

This is a bit surprising.  So "something" is eating it between
"openvpn command line client", "openvpn server" and "plugin-auth-pam".

Interesting.

> > in the LinOTP URL - so, it didn't decode it, because the second ':'
> > was missing (if I put a blank in there, I get pass=mypin%20).
> >
> > Is this intentional?  Should it be that way?
> 
> If you are constructing the SCRV1: line using a custom UI,
> I would suggest to add the second colon. If using Windows-GUI or running
> OpenVPN from command line we'll need to fix this one place
> or the other.

Command line client (git:master/5961250e776194a4, what I happened to 
have lying around), run with a config file that has

  auth-user-pass
  auth-nocache
  auth-retry interact
  static-challenge "token value: " 1

in it, and pressing <return> at the

CHALLENGE: token value: _

prompt.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to