This patchset implements the basic blocks for a more flexible authentication protocol in OpenVPN. The basic idea is to instead of giving a immediate deny/accept the client gets a additional challgen via the info message to a 2FA method or external authentication with URL (e.g. via SAML).
The patch already sends the AUTH_PENDING control message. An OpenVPN3 cliets needs this to scale back pull request frequency, OpenVPN2 currently logs a warning about an unknown. This will be fixed in a follw up patch Currently both client and server side need a management interface make the support work. For a server script follow up patch, I am currently waiting for the client-connect patch set to be merge and for the client side, David offered to help with helping with the getting an async password input working. Arne Schwabe (5): Implement parsing and sending INFO and INFO_PRE control messages Implement support for signalling IV_SSO to server Implement sending response to challenge via CR_RESPONSE Implement sending AUTH_PENDING challenges to clients Implement forwarding client CR_RESPONSE messages to management doc/management-notes.txt | 130 ++++++++++++++++++++++++++++++++++++++- src/openvpn/forward.c | 12 ++++ src/openvpn/init.c | 39 ++++++++++++ src/openvpn/manage.c | 113 +++++++++++++++++++++++++++++++++- src/openvpn/manage.h | 9 +++ src/openvpn/multi.c | 19 ++++++ src/openvpn/push.c | 78 +++++++++++++++++++++++ src/openvpn/push.h | 12 ++++ src/openvpn/ssl.c | 4 +- 9 files changed, 412 insertions(+), 4 deletions(-) -- 2.26.0 _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
