Hmm, thats interesting. I guess maybe I’ve just been thrown off by the wording of the docs at https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
------------------------------------------------------------------------ --username-as-common-name For --auth-user-pass-verify authentication, use the authenticated username as the common name, rather than the common name from the client cert. ------------------------------------------------------------------------ The description is confusing at this point. "For --auth-user-pass-verify authentication” would make me think that the username as the common_name is usable “For” an auth-user-pass-verify script, which I demonstrated it is not and you are agreeing that it is not for that. Clearly the "auth-user-pass-verify” section states that "The script should examine the username and password” and says nothing about the common_name parameter and when it says "use the authenticated username as the common name” this would make me think it behaves as you say that the user needs to be already “authenticated” rather than it just having been a supplied by the client username and that it still needs to be authenticated. The “For” just threw me off. I would guess that the "username-as-common-name” is here for use in "client-connect” (and disconnect) commands since the wording in that section states "The command is passed the common name and IP address of the just-authenticated client as environmental variables” and for the “client-config-dir” related options which would allow openvpn to use files and things that are keyed off the username rather than the common_name. I guess I’ll submit a documentation bug to alter the description in the docs for "username-as-common-name” to more clearly illustrate this. Maybe just changing "For --auth-user-pass-verify authentication...” to "After --auth-user-pass-verify authentication…” and a note about this affecting the client-(dis)connect and client-config-dir options. I modified the duo plugin source to use username instead of common_name and it works as I expect. I’ll also submit a pull request against the duo_openvpn plugin source to get that changed upstream and see where it goes. Thanks for the reply, Mike > On Aug 3, 2016, at 10:05 PM, Selva Nair <selva.n...@gmail.com> wrote: > > > On Wed, Aug 3, 2016 at 5:35 PM, Michael Hicks <michaelhick...@gmail.com > <mailto:michaelhick...@gmail.com>> wrote: > Greetings OpenVPN users, > > I’m having some trouble with openvpn using an auth plugin for DuoSecurity MFA. > https://github.com/duosecurity/duo_openvpn > <https://github.com/duosecurity/duo_openvpn> > > server side > OpenVPN 2.3.6 x86_64-sun-solaris2.11 [SSL (OpenSSL)] [LZO] [IPv6] built on > Dec 5 2015 > library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09 > > client side: > OpenVPN 2.3.6 x86_64-apple-darwin13 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built > on Jun 17 2016 > library versions: OpenSSL 1.0.2h 3 May 2016, LZO 2.09 > > I generated certificates using EasyRSA 3.0.1 and can see what the CN is set to > openssl x509 -text -noout -in EasyRSA-3.0.1/pki/issued/triskaideka.crt > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 1 (0x1) > Signature Algorithm: sha256WithRSAEncryption > Issuer: CN=foobiebletch > Validity > Not Before: Jul 28 19:35:34 2016 GMT > Not After : Jul 26 19:35:34 2026 GMT > Subject: CN=triskaideka > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > > On the client side I’m supplying my username and pass via the auth-user-pass > parameter with a file. > > On the server side I’m trying to use username-as-common-name so that the > client supplied username parameter is used to auth against Duo instead of the > cert CN. > > What seems to be happening is that OpenVPN is not setting the username as the > common_name parameter. With logging verbosity set to 7 I see this in the > openvpn.log file demonstrating that the common_name is set to the connecting > client’s hostname, and that it clearly also knows what the username is. > > > --username-as-common-name option does not change the common-name until > authenticated. So the duo plugin will see your common-name in the > certificate. I have no idea why duo decided to take the username from cert CN > instead of from the response to auth-user-pass.dialog. > > Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
