On 25/01/2021 13:56, Arne Schwabe wrote:
Signed-off-by: Arne Schwabe <a...@rfc2549.org> --- Changes.rst | 9 +++ doc/man-sections/script-options.rst | 3 + sample/sample-scripts/totpauth.py | 107 ++++++++++++++++++++++++++++ 3 files changed, 119 insertions(+) create mode 100755 sample/sample-scripts/totpauth.pydiff --git a/Changes.rst b/Changes.rst index 188bd8ab..d64c6d83 100644 --- a/Changes.rst +++ b/Changes.rst @@ -19,6 +19,15 @@ Pending auth support for plugins and scripts be used to parse a client response to a ``CR_TEXT`` two factor challenge.See ``sample/sample-scripts/totpauth.py`` for an example.+<<<<<<< HEAD +======= + +Deprecated features +------------------- +``inetd`` has been removed + This was a very limited and not-well-tested way to run OpenVPN, on TCP + and TAP mode only. +>>>>>>> 239e8cfd (Add example script demonstrating TOTP via auth-pending)
Ehm .... ;-) [...snip....]
diff --git a/sample/sample-scripts/totpauth.py b/sample/sample-scripts/totpauth.py new file mode 100755 index 00000000..95ac3529 --- /dev/null +++ b/sample/sample-scripts/totpauth.py @@ -0,0 +1,107 @@
[...snip...]
+ +import pprint
This shouldn't be needed.
+
+# Example script demonstrating how to use the auth-pending API in
+# OpenVPN. This script is provided under MIT license to allow easy
+# modification for other purposes.
+#
+# To use this script add the following lines in the openvpn config
+
+# client-crresponse /path/to/totpauth.py
+# auth-user-pass-verify /path/to/totpauth.py via-file
+# auth-user-pass-optional
+# auth-gen-token
+
+# Note that this script does NOT verify username/password
+# It is only meant for querying additional 2FA when certificates are
+# used to authenticate
+
+secrets = {"styx": "OS6JDNRK2BNUPQVX",
+ "apate": "IXWEMP7SK2QWSHTG"}
Perhaps replace one of these user names with 'Test-Client', which is what our client.crt contains.
This does actually work reasonably well, BUT ... there are some things which could be improved in the documentation here.
Currently, both OpenVPN 2 and OpenVPN 3 Linux (which I tested) does not support crtext based auth out-of-the-box. But it's possible to workaround that with OpenVPN 2.x. (I've tested v2.5.0 and git master). I used this config:
client remote 127.0.0.1 dev tun ca sample/sample-keys/ca.crt key sample/sample-keys/client.key cert sample/sample-keys/client.crt nobind explicit-exit-notify 3 management ./mngmt.sock unix management-hold management-query-passwords setenv IV_SSO crtextThen I used 'nc -U mngmt.sock' to connect to the management interface and issued the 'hold release' command and the 'cr-response' command with a base64 encoded TOTP value. I did update the toptpauth.py script to use 'Test-Client' instead of one of the predefined user names.
So while this does work fine, it's not a straight forward way to test it out. And it requires client hackery (even though I bet this is not an issue using your Android app ;-)).
I don't think we need to update with more scripts or stuff like that, just mentioning more clearly that the client must support 'crtext' and it is possible with OpenVPN 2.x enabling the management interface and setting the IV_SSO env variable properly.
Otherwise, this generally looks good - but we should improve docs a bit more and fix those minor issues while at it.
-- kind regards, David Sommerseth OpenVPN Inc
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
