Re: [Openvpn-devel] [PATCH v2 4/5] Implement sending SSO challenge to clients

Fri, 15 May 2020 08:57:25 -0700 

On 15/05/20 17:40, David Sommerseth wrote:

On 15/05/2020 17:36, David Sommerseth wrote:

On 09/11/2019 16:13, Arne Schwabe wrote:

This implements sending AUTH_PENDING and INFO_PRE messages to clients
that indicate that the clients should be continue authentication with
a second factor. This can currently be out of band (openurl) or a normal
challenge/response 2FA like TOTP (CR_TEXT).

Can we settle on a single CR_TEXT vs CRTEXT terminology?  The 3/5 patch used
crtext in the documentation but cr_text in the commit message.


Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
  doc/management-notes.txt | 26 +++++++++++++++++++++++
  src/openvpn/manage.c     | 46 ++++++++++++++++++++++++++++++++++++++++
  src/openvpn/manage.h     |  3 +++
  src/openvpn/multi.c      | 19 +++++++++++++++++
  src/openvpn/push.c       | 24 +++++++++++++++++++++
  src/openvpn/push.h       |  2 ++
  6 files changed, 120 insertions(+)

diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index e380ca2b..4b405a9b 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -592,6 +592,32 @@ interface to approve client connections.
  CID,KID -- client ID and Key ID.  See documentation for ">CLIENT:"
  notification for more info.
+COMMAND -- client-sso-auth (OpenVPN 2.5 or higher) 
+----------------------------------------------------
+
+Instruct OpenVPN server to send AUTH_PENDING and INFO_PRE signal
+a single sign on url to the client.
+
+    client-sso-auth {CID} {EXTRA}

I think we should use a different naming for this than 'sso'.  This is not
tied to only SSO (Single Sign-On).  What about:

  - client-extended-auth
  - client-external-auth
  - client-ext-auth
  - client-additional-auth
  - client-xauth

Another alternative popped up in my head, as CR/Challenge-Response is used a
lot in this context .... client-cr-auth  .... but all of them are just
suggestions to avoid the 'sso' reference.


As long as the name is quite generic, I'm fine with most alternatives.  But it
should be very generic.  We have so many alternative auth methods these days:
Yubico OTP [1], TOTP/HOTP, FIDO/U2F, SAML, OAuth, Kerberos/GSSAPI, etc ...

[1] <https://developers.yubico.com/OTP/OTPs_Explained.html>
+1 on avoiding the 'sso' reference  - this has nothing to do with SSO/SAML/OAuth/OpenID etc etc and I think it would be unwise to suggest that OpenVPN does something like "that" kind of SSO auth. Before we know it users will start asking how they can link their Hotmail, FB or Google account to their OpenVPN config.... 

JM2CW,

JJK





_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to