Re: [Openvpn-devel] [PATCH 2/2] get_user_pass_cr: get password from stdin if missing inline

Wed, 14 Sep 2022 12:28:48 -0700 

On Wed, Sep 14, 2022 at 3:02 PM Antonio Quartulli <a...@unstable.cc> wrote:

> Until now, when HTTP proxy user and password were specified inline,
> it was assumed that both creds were specified. A missing password would
> result in an empty password being stored.
>
> This behaviour is not ideal, as we want to allow the user to store the
> username, but let the password be entered via stdin.
>
> This affects both http proxy and authentication inline'd creds.
>
> Signed-off-by: Antonio Quartulli <a...@unstable.cc>
> ---
>  Changes.rst        | 4 +++-
>  src/openvpn/misc.c | 5 +++++
>  2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/Changes.rst b/Changes.rst
> index 2967533a..2daa97fb 100644
> --- a/Changes.rst
> +++ b/Changes.rst
> @@ -89,7 +89,9 @@ Data channel offloading with ovpn-dco
>
>  Inline auth username and password
>      Username and password can now be specified inline in the
> configuration file
> -    within the <auth-user-pass></auth-user-pass> tags.
> +    within the <auth-user-pass></auth-user-pass> tags. If the password is
> +    missing OpenVPN will prompt for input via stdin. This applies to
> inline'd
> +    http-proxy-user-pass too.
>
>
>  Deprecated features
> diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
> index 07f6e202..50f7f975 100644
> --- a/src/openvpn/misc.c
> +++ b/src/openvpn/misc.c
> @@ -197,6 +197,11 @@ get_user_pass_cr(struct user_pass *up,
>                  buf_parse(&buf, '\n', up->username, USER_PASS_LEN);
>              }
>              buf_parse(&buf, '\n', up->password, USER_PASS_LEN);
> +
> +            if (strlen(up->password) == 0)
> +            {
> +                password_from_stdin = 1;
>

This works when stdin is available, but reading username from file and
password from the management interface is still not possible. Currently, if
--management-query-passwords and --auth-user-pass are used, the file must
contain username and password (management i/f not queried). This patch
allows username only files, but only if reading from stdin is possible.

It may be a bit tricky to prompt the management interface in such cases,
but if we are improving the UX, this is a good opportunity to do a better
job.

Selva



> +            }
>          }
>          /*
>           * Read from auth file unless this is a dynamic challenge request.
> --
> 2.35.1
>
>
>
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to