Re: [Openvpn-devel] Feature request: Client-side username/password retrieval using environment variables

[The Zep Man]

David Sommerseth wrote:

Am I missing something here or?  openvpn does support this already, but
I'm doing it via a C plug-in ...




In this case, the plug-in (which needs to be compiled) gets it from the 
environment, not OpenVPN itself.



I haven't studied the openvpn code to see if this goes for the script
interface ... but if it really is missing, it shouldn't be that hard to
fix.  On the otherhand, if it is difficult, writing your own script
runner as a plug-in is definitely not an impossible task.


Script runner?

My idea is to let OpenVPN (vanilla) grab a username and password from 
the environment for client-side authentication (if allowed/specified 
by/in the configuration). This method for username and password 
insertion doesn't need any third-party patches or OS-specific scripts to 
work.


Regards,

Zep

Re: [Openvpn-devel] Feature request: Client-side username/password retrieval using environment variables

[David Sommerseth]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 13/10/09 19:28, The Zep Man wrote:
> James Yonan wrote:
>> The best way to programmatically supply the username/password on the 
>> client side is to use the OpenVPN management interface.
>>
>> James
> 
> And the worst way is by using a file on a disk (which is why it is 
> disabled by default on compilation time). How about something in 
> between? Something that is perhaps also easier to use from scripts, 
> while still being secure in certain environments (like Windows)? The 
> management interface requires a TCP port, which requires extra 
> programming to use. It could also conflict with some firewalls (even 
> when used on the loopback interface). Why bother with the entire 
> management interface if the only thing you want is to simply insert a 
> username and password with reasonable security?
> 
> I'm not saying that the management interface is bad. However, a somewhat 
> trivial function like username/password insertion should be easier. It's 
> accepted that OpenVPN as a server uses the environment to parse incoming 
> usernames/passwords to other programs. Why can't OpenVPN also accept a 
> username and password from the environment?
> 

Am I missing something here or?  openvpn does support this already, but
I'm doing it via a C plug-in ...



In line 348 the username is extracted via a GETENV_USERNAME() macro, and
in line 377 GETENV_PASSWORD() is used to grab the password.  That's
taken from the environment table.

But it might be that it's not exported to the shell if you are using the
script interface.

I haven't studied the openvpn code to see if this goes for the script
interface ... but if it really is missing, it shouldn't be that hard to
fix.  On the otherhand, if it is difficult, writing your own script
runner as a plug-in is definitely not an impossible task.


kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkrUwLoACgkQDC186MBRfrrmaACgoYiHmwBrExYTsHlEQZs+/8d5
dxIAn2D9K+oE6Glh28C1weYuy4Rk9rLD
=zBhV
-END PGP SIGNATURE-

Re: [Openvpn-devel] Feature request: Client-side username/password retrieval using environment variables

[The Zep Man]

James Yonan wrote:
The best way to programmatically supply the username/password on the 
client side is to use the OpenVPN management interface.


James


And the worst way is by using a file on a disk (which is why it is 
disabled by default on compilation time). How about something in 
between? Something that is perhaps also easier to use from scripts, 
while still being secure in certain environments (like Windows)? The 
management interface requires a TCP port, which requires extra 
programming to use. It could also conflict with some firewalls (even 
when used on the loopback interface). Why bother with the entire 
management interface if the only thing you want is to simply insert a 
username and password with reasonable security?


I'm not saying that the management interface is bad. However, a somewhat 
trivial function like username/password insertion should be easier. It's 
accepted that OpenVPN as a server uses the environment to parse incoming 
usernames/passwords to other programs. Why can't OpenVPN also accept a 
username and password from the environment?


Zep

Re: [Openvpn-devel] Feature request: Client-side username/password retrieval using environment variables

[James Yonan]

The Zep Man wrote:

Dear openvpn-devel list,

OpenVPN supports verification of a username/password combination on the 
server-side by parsing these to a 'script' using auth-user-pass-verify'. 
With this, it is possible to use a file ('via-file') or environment 
variables ('via-env') to parse the given username and password for 
verification. The 'script' returns exit code 0 if the username and 
password are correct or non-0 if they are incorrect.


On the client-side, the only way to specify a username and a password 
(using the option 'auth-user-pass') is by directly using the OpenVPN 
prompt or (by default not possible because it isn't copmiled in) by 
using a file with on the first line the username and on the second line 
the password.


While it is easy to extend the username/password verification on the 
server, it isn't easy to extend the username/password input on the 
client. Even if OpenVPN is recompiled with the required option enabled 
for the client to accept a username/password from an earlier process, it 
is far from secure (because under some OS, like Windows, the 
username/password combination must be written plain-text to the disk for 
this to work).


Would it be a good idea to let OpenVPN on the client-side accept a 
username and a password as input from two separate environment variables 
using an extra option in the configuration file (when 'auth-user-pass' 
is also used)? This would make it easier to write an enduser-friendly 
front-end for OpenVPN which asks for an username and password.


My suggestion is to extend 'auth-user-pass [up]' to 'auth-user-pass 
via-file [up]' and 'auth-user-pass via-env'. By using 'via-env', the 
username and password should be taken from pre-specified environment 
variables. Perhaps the environment variables should be 'username' and 
'password', the same names 'auth-user-pass-verify' on the server uses.


Because this option would be more secure for Windows, would it also be 
possible to enable 'auth-user-pass via-env' by default during compilation?


The best way to programmatically supply the username/password on the 
client side is to use the OpenVPN management interface.


James