Re: [Openvpn-devel] [PATCH v2 2/9] Implement auth-token-user
Hi, On 11/06/2021 11:48, Arne Schwabe wrote: > Am 11.06.21 um 02:41 schrieb Antonio Quartulli: >> Hi, >> >> On 20/05/2021 17:11, Arne Schwabe wrote: >>> When not using username and password (i.e. auth-user-pass) it can still make >>> to provide the client with an auth-token, e.g. for allowing a session to >>> continue after a reconnect without requiring 2FA again. >>> >>> However, without --auth-user-pass openvpn does not have a username and will >>> ignore any pushed auth-token command. >>> >>> This patch adds support for auth-token-user to set the username that should >>> be used for auth-token >>> >>> The spec of using auth-token-user base64-encoded-user are the ones that >>> OpenVPN3 already implements. >>> >>> Patch V2: Improve style, fix comments and commit message >>> >>> Signed-off-by: Arne Schwabe >> >> This patch hasn't changed since the last time it was on the mailing list >> (and I acked it), so the same goes for this copy. >> >> @Arne I have a new question though: what is expected to happen is the >> --auth-token-user is specified in the global config? >> >> Is the same user supposed to be used with every client? >> Or is it just ignored? >> >> I am testing this case and I don't see the user being pushed to the client. >> > > It is probably the same as with auth-token itself. OpenVPN will pick it > up and use it but most times it is not every useful as auth-token should > be pushed from the server. It is an artefact from how we parse things. > Makes sense - it is jus interpreted locally, but there is not much sense. This said, the rest looks good. Acked-by: Antonio Quartulli -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/9] Implement auth-token-user
Am 11.06.21 um 02:41 schrieb Antonio Quartulli: > Hi, > > On 20/05/2021 17:11, Arne Schwabe wrote: >> When not using username and password (i.e. auth-user-pass) it can still make >> to provide the client with an auth-token, e.g. for allowing a session to >> continue after a reconnect without requiring 2FA again. >> >> However, without --auth-user-pass openvpn does not have a username and will >> ignore any pushed auth-token command. >> >> This patch adds support for auth-token-user to set the username that should >> be used for auth-token >> >> The spec of using auth-token-user base64-encoded-user are the ones that >> OpenVPN3 already implements. >> >> Patch V2: Improve style, fix comments and commit message >> >> Signed-off-by: Arne Schwabe > > This patch hasn't changed since the last time it was on the mailing list > (and I acked it), so the same goes for this copy. > > @Arne I have a new question though: what is expected to happen is the > --auth-token-user is specified in the global config? > > Is the same user supposed to be used with every client? > Or is it just ignored? > > I am testing this case and I don't see the user being pushed to the client. > It is probably the same as with auth-token itself. OpenVPN will pick it up and use it but most times it is not every useful as auth-token should be pushed from the server. It is an artefact from how we parse things. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2 2/9] Implement auth-token-user
Hi, On 20/05/2021 17:11, Arne Schwabe wrote: > When not using username and password (i.e. auth-user-pass) it can still make > to provide the client with an auth-token, e.g. for allowing a session to > continue after a reconnect without requiring 2FA again. > > However, without --auth-user-pass openvpn does not have a username and will > ignore any pushed auth-token command. > > This patch adds support for auth-token-user to set the username that should > be used for auth-token > > The spec of using auth-token-user base64-encoded-user are the ones that > OpenVPN3 already implements. > > Patch V2: Improve style, fix comments and commit message > > Signed-off-by: Arne Schwabe This patch hasn't changed since the last time it was on the mailing list (and I acked it), so the same goes for this copy. @Arne I have a new question though: what is expected to happen is the --auth-token-user is specified in the global config? Is the same user supposed to be used with every client? Or is it just ignored? I am testing this case and I don't see the user being pushed to the client. Cheers, -- Antonio Quartulli ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2 2/9] Implement auth-token-user
When not using username and password (i.e. auth-user-pass) it can still make
to provide the client with an auth-token, e.g. for allowing a session to
continue after a reconnect without requiring 2FA again.
However, without --auth-user-pass openvpn does not have a username and will
ignore any pushed auth-token command.
This patch adds support for auth-token-user to set the username that should
be used for auth-token
The spec of using auth-token-user base64-encoded-user are the ones that
OpenVPN3 already implements.
Patch V2: Improve style, fix comments and commit message
Signed-off-by: Arne Schwabe
---
doc/man-sections/client-options.rst | 8 +++
src/openvpn/misc.c | 37 +
src/openvpn/misc.h | 21 +---
src/openvpn/options.c | 5
src/openvpn/ssl.c | 12 +++---
src/openvpn/ssl.h | 2 ++
6 files changed, 74 insertions(+), 11 deletions(-)
diff --git a/doc/man-sections/client-options.rst
b/doc/man-sections/client-options.rst
index af21fbcd7..c5b7ad960 100644
--- a/doc/man-sections/client-options.rst
+++ b/doc/man-sections/client-options.rst
@@ -50,6 +50,14 @@ configuration.
after a failed auth. Older clients will keep using the token value and
react according to ``--auth-retry``
+--auth-token-user base64username
+ Companion option to ``--auth-token``. This options allows to override
+ the username used by the client when reauthenticating with the
``auth-token``.
+ It also allows to use ``--auth-token`` in setups that normally do not use
+ username and password.
+
+ The username has to be base64 encoded.
+
--auth-user-pass
Authenticate with server using username/password.
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
index 650daa0c6..29061cd6f 100644
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@@ -490,22 +490,49 @@ void
set_auth_token(struct user_pass *up, struct user_pass *tk, const char *token)
{
-if (strlen(token) && (up->defined || tk->defined))
+if (strlen(token))
{
-/* auth-token has no password, so it needs the username
- * either already set or copied from up */
strncpynt(tk->password, token, USER_PASS_LEN);
-if (up->defined)
+tk->token_defined = true;
+
+/*
+ * --auth-token has no username, so it needs the username
+ * either already set or copied from up, or later set by
+ * --auth-token-user
+ *
+ * Do not overwrite the username if already set to avoid
+ * overwriting an auth-token
+ */
+if (up->defined && !tk->defined)
{
strncpynt(tk->username, up->username, USER_PASS_LEN);
+tk->defined = true;
}
-tk->defined = true;
}
/* Cleans user/pass for nocache */
purge_user_pass(up, false);
}
+void
+set_auth_token_user(struct user_pass *tk, const char *username)
+{
+if (strlen(username))
+{
+/* Clear the username before decoding to ensure no old material is left
+ * and also allow decoding to not use all space to ensure the last
byte is
+ * always 0 */
+CLEAR(tk->username);
+int len = openvpn_base64_decode(username, tk->username, USER_PASS_LEN
- 1);
+tk->defined = len > 0;
+if (!tk->defined)
+{
+msg(D_PUSH, "Error decoding auth-token-username");
+}
+}
+}
+
+
/*
* Process string received by untrusted peer before
* printing to console or log file.
diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h
index d9005353e..0d2d42489 100644
--- a/src/openvpn/misc.h
+++ b/src/openvpn/misc.h
@@ -56,6 +56,9 @@ const char *hostname_randomize(const char *hostname, struct
gc_arena *gc);
struct user_pass
{
bool defined;
+/* For auth-token username and token can be set individually, so
+ * we this second bool to track if the token (password) is defined */
+bool token_defined;
bool nocache;
/* max length of username/password */
@@ -138,19 +141,31 @@ void fail_user_pass(const char *prefix,
void purge_user_pass(struct user_pass *up, const bool force);
/**
- * Sets the auth-token to token if a username is available from either
- * up or already present in tk. The method will also purge up if
+ * Sets the auth-token to token. Ff a username is available from either
+ * up or already present in tk is the auth-token that will be used as default
+ * username for the token. The method will also purge up if
* the auth-nocache option is active.
*
* @param up(non Auth-token) Username/password
* @param tkauth-token userpass to set
- * @param token token to use as password for the
+ * @param token token to use as password for the auth-token
*
* @noteall parameters to this function must not be null.
*/
void set_auth_token(struct user_pass *up, struct user_pass *tk,
const
