Re: [Openvpn-devel] [PATCH v4] Implement deferred auth for scripts

Gert Doering Wed, 10 Mar 2021 07:48:57 -0800

Hi,

On Thu, Mar 04, 2021 at 12:40:52PM +0100, Arne Schwabe wrote:
> This patch also refactors the if condition that checks the result of
> the authentication since that has become quite unreadable. It renames
> s1/s2 and extracts some parts of the condition into individual variables
> to make the condition better understandle
> 
> Patch v2: add refactoring of the if condition
> Patch v4: fix documentation not mentioning method as 2nd line


Not sure yet what is happening, but this breaks deferred auth in plugins
- as in "they always succeed".

I have some test cases using plugin-auth-pam which delays for about 15
seconds (querying a nonexisting radius server) and then checks a local
auth+password file.  One of the cases should succeed "but be delayed",
one of the cases must fail "but delayed fail", because I send a username
that does not exists.

With this patch applied, authentication *succeeds* very fast in both
cases, even with wrong password.

The log file with this patch has:

2021-03-10 16:40:43 us=610286 2001:608:0:814::f000:21 VERIFY OK: depth=0, C=DE, 
ST=Bavaria, L=Munich, O=OpenVPN community project, OU=Server Testing, 
CN=cron2-freebsd-tc-amd64, emailAddress=g...@greenie.net
2021-03-10 16:40:43 us=612104 PLUGIN AUTH-PAM: do deferred auth 
'/tmp/openvpn_acf_2f305c6e47c6552f3e29e210b1c0baf.tmp'
2021-03-10 16:40:43 us=612428 PLUGIN AUTH-PAM: deferred authentication
2021-03-10 16:40:43 us=612823 PLUGIN AUTH-PAM: BACKGROUND: deferred auth for 
'fbsd-tc-masterFoo', pid=21053
2021-03-10 16:40:43 us=612951 PLUGIN AUTH-PAM: cannot open 
'/tmp/openvpn_acf_2f305c6e47c6552f3e29e210b1c0baf.tmp' for writing: No such 
file or directory (errno=2)
2021-03-10 16:40:43 us=617812 2001:608:0:814::f000:21 TLS: Username/Password 
authentication deferred for username 'fbsd-tc-masterFoo' 
2021-03-10 16:40:43 us=618636 2001:608:0:814::f000:21 Control Channel: TLSv1.3, 
cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
2021-03-10 16:40:43 us=618674 2001:608:0:814::f000:21 [cron2-freebsd-tc-amd64] 
Peer Connection Initiated with [AF_INET6]2001:608:0:814::f000:21:40868
2021-03-10 16:40:43 us=618705 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 
MULTI_sva: pool returned IPv4=194.97.145.74, IPv6=2001:608:3:814::1000
2021-03-10 16:40:43 us=625942 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 
OPTIONS IMPORT: reading client specific options from: 
/tmp/openvpn_cc_1cdbffdecac750624e0d4deb89a7ad1d.tmp
...
2021-03-10 16:40:43 us=626454 cron2-freebsd-tc-amd64/2001:608:0:814::f000:21 
SENT CONTROL [cron2-freebsd-tc-amd64]: 'PUSH_REPLY,route 10.204.0.0 
255.255.0.0,route-ipv6 fd00:abcd:204::/48,tun-ipv6,route-gateway 
194.97.145.73,topology subnet,ping 10,ping-restart 30,compress 
lz4,ifconfig-ipv6 2001:608:3:814::1000/64 2001:608:3:814::1,ifconfig 
194.97.145.74 255.255.255.248,peer-id 0,auth-tokenSESS_ID,cipher 
AES-256-GCM,key-derivation tls-ekm' (status=1)


Actually, there is a script involved as well - the server config has

# ASYNC (20s delay ueber pam_radius)
setenv deferred_auth_pam 1
plugin /.../openvpn-plugin-auth-pam.so "openvpn-global Login: USERNAME 
Password: PASSWORD"

# nebenbei auch noch das shell-interface validieren
script-security 3
auth-user-pass-verify /.../auth-user-pass-verify.sh via-env


if I remove the call to "auth-user-pass-verify", the plugin failure is
correctly detected and signalled again.  It also waits proper 15 seconds
again...

2021-03-10 16:44:31 us=527310 PLUGIN AUTH-PAM: BACKGROUND: deferred auth for 
'fbsd-tc-masterFoo', pid=21861
2021-03-10 16:44:46 us=546819 PLUGIN AUTH-PAM: BACKGROUND: user 
'fbsd-tc-masterFoo' failed to authenticate: User not known to the underlying 
authentication module
2021-03-10 16:44:47 us=992782 2001:608:0:814::f000:21 SENT CONTROL 
[cron2-freebsd-tc-amd64]: 'AUTH_FAILED' (status=1)


... and no error messages about the auth_control_file missing.

So, it seems the cleanup of this nasty bit of logic has actually broken 
it :-( (or introduced new and interesting corner cases)


I'll see if I can find sufficient brains to dig into this and see what
is happening.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

signature.asc
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v4] Implement deferred auth for scripts

Reply via email to