Re: [Openvpn-devel] [PATCH 2/5] auth-gen-token: Add --auth-gen-token option

2016-10-14 Thread Steffan Karger 


On 13-10-16 21:59, David Sommerseth wrote:
> This sets the flag if the OpenVPN server should create authentication
> tokens on-the-fly on successful --auth-user-pass-verify or --plugin with
> OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY processing.
> 
> If an OpenVPN server is running without this option, it should behave
> as before.  Next patches will implement the auth-token generation and
> passing it on to the clients.
> 
> The --auth-gen-token can be given an optional integer argument which
> defines the lifetime of generated tokens.  The lifetime argument
> must be given in number of seconds.
> 
> Signed-off-by: David Sommerseth 
> ---
>  doc/openvpn.8| 16 
>  src/openvpn/init.c   |  2 ++
>  src/openvpn/options.c| 16 
>  src/openvpn/options.h|  2 ++
>  src/openvpn/ssl_common.h |  3 +++
>  5 files changed, 39 insertions(+)
> 
> diff --git a/doc/openvpn.8 b/doc/openvpn.8
> index 1c341ae..521bd9b 100644
> --- a/doc/openvpn.8
> +++ b/doc/openvpn.8
> @@ -3595,6 +3595,22 @@ For a sample script that performs PAM authentication, 
> see
>  in the OpenVPN source distribution.
>  .\"*
>  .TP
> +.B \-\-auth\-gen\-token [lifetime]
> +After successful user/password authentication, the OpenVPN
> +server will with this option generate a temporary
> +authentication token and push that to client.  On the following
> +renegotiations, the OpenVPN client will pass this token instead
> +of the users password.  On the server side the server will do
> +the token authentication internally and it will NOT do any
> +additional authentications against configured external
> +user/password authentication mechanisms.

This should mention that a lifetime of 0 indicates 'never expires'.

> +This feature is useful for environments which is configured
> +to use One Time Passwords (OTP) as part of the user/password
> +authentications and that authentication mechanism does not
> +implement any auth-token support.
> +.\"*
> +.TP
>  .B \-\-opt\-verify
>  Clients that connect with options that are incompatible
>  with those of the server will be disconnected.
> diff --git a/src/openvpn/init.c b/src/openvpn/init.c
> index cc8e945..5a8cb1f 100644
> --- a/src/openvpn/init.c
> +++ b/src/openvpn/init.c
> @@ -2427,6 +2427,8 @@ do_init_crypto_tls (struct context *c, const unsigned 
> int flags)
>if (options->ccd_exclusive)
>  to.client_config_dir_exclusive = options->client_config_dir;
>to.auth_user_pass_file = options->auth_user_pass_file;
> +  to.auth_generate_token = options->auth_generate_token;
> +  to.auth_token_lifetime = options->auth_token_lifetime;
>  #endif
>  
>to.x509_track = options->x509_track;
> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 1ed14b0..1037619 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -445,6 +445,11 @@ static const char usage_message[] =
>"  run command cmd to verify.  If method='via-env', pass\n"
>"  user/pass via environment, if method='via-file', pass\n"
>"  user/pass via temporary file.\n"
> +  "--auth-gen-token  [lifetime] Generate a random authentication token which 
> is pushed\n"
> +  "  to each client, replacing the password.  Usefull when\n"
> +  "  OTP based two-factor auth mechanisms are in use and\n"
> +  "  --reneg-* options are enabled. Optionally a lifetime in 
> seconds\n"
> +  "  for generated tokens can be set.\n"
>"--opt-verify: Clients that connect with options that are 
> incompatible\n"
>"  with those of the server will be disconnected.\n"
>"--auth-user-pass-optional : Allow connections by clients that don't\n"
> @@ -864,6 +869,7 @@ init_options (struct options *o, const bool init_gc)
>  #ifdef ENABLE_PKCS11
>o->pkcs11_pin_cache_period = -1;
>  #endif   /* ENABLE_PKCS11 */
> +  o->auth_generate_token = false;
>  
>  /* tmp is only used in P2MP server context */
>  #if P2MP_SERVER
> @@ -1264,6 +1270,8 @@ show_p2mp_parms (const struct options *o)
>SHOW_INT (max_routes_per_client);
>SHOW_STR (auth_user_pass_verify_script);
>SHOW_BOOL (auth_user_pass_verify_script_via_file);
> +  SHOW_BOOL (auth_generate_token);
> +  SHOW_INT (auth_token_lifetime);
>  #if PORT_SHARE
>SHOW_STR (port_share_host);
>SHOW_STR (port_share_port);
> @@ -2194,6 +2202,8 @@ options_postprocess_verify_ce (const struct options 
> *options, const struct conne
>   "tcp-nodelay in the server configuration instead.");
>if (options->auth_user_pass_verify_script)
>   msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
> +  if (options->auth_generate_token)
> + msg (M_USAGE, "--auth-gen-token requires --mode server");
>  #if PORT_SHARE
>if

[Openvpn-devel] [PATCH 2/5] auth-gen-token: Add --auth-gen-token option

2016-10-13 Thread David Sommerseth 
This sets the flag if the OpenVPN server should create authentication
tokens on-the-fly on successful --auth-user-pass-verify or --plugin with
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY processing.

If an OpenVPN server is running without this option, it should behave
as before.  Next patches will implement the auth-token generation and
passing it on to the clients.

The --auth-gen-token can be given an optional integer argument which
defines the lifetime of generated tokens.  The lifetime argument
must be given in number of seconds.

Signed-off-by: David Sommerseth 
---
 doc/openvpn.8| 16 
 src/openvpn/init.c   |  2 ++
 src/openvpn/options.c| 16 
 src/openvpn/options.h|  2 ++
 src/openvpn/ssl_common.h |  3 +++
 5 files changed, 39 insertions(+)

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index 1c341ae..521bd9b 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3595,6 +3595,22 @@ For a sample script that performs PAM authentication, see
 in the OpenVPN source distribution.
 .\"*
 .TP
+.B \-\-auth\-gen\-token [lifetime]
+After successful user/password authentication, the OpenVPN
+server will with this option generate a temporary
+authentication token and push that to client.  On the following
+renegotiations, the OpenVPN client will pass this token instead
+of the users password.  On the server side the server will do
+the token authentication internally and it will NOT do any
+additional authentications against configured external
+user/password authentication mechanisms.
+
+This feature is useful for environments which is configured
+to use One Time Passwords (OTP) as part of the user/password
+authentications and that authentication mechanism does not
+implement any auth-token support.
+.\"*
+.TP
 .B \-\-opt\-verify
 Clients that connect with options that are incompatible
 with those of the server will be disconnected.
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index cc8e945..5a8cb1f 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2427,6 +2427,8 @@ do_init_crypto_tls (struct context *c, const unsigned int 
flags)
   if (options->ccd_exclusive)
 to.client_config_dir_exclusive = options->client_config_dir;
   to.auth_user_pass_file = options->auth_user_pass_file;
+  to.auth_generate_token = options->auth_generate_token;
+  to.auth_token_lifetime = options->auth_token_lifetime;
 #endif
 
   to.x509_track = options->x509_track;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 1ed14b0..1037619 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -445,6 +445,11 @@ static const char usage_message[] =
   "  run command cmd to verify.  If method='via-env', pass\n"
   "  user/pass via environment, if method='via-file', pass\n"
   "  user/pass via temporary file.\n"
+  "--auth-gen-token  [lifetime] Generate a random authentication token which 
is pushed\n"
+  "  to each client, replacing the password.  Usefull when\n"
+  "  OTP based two-factor auth mechanisms are in use and\n"
+  "  --reneg-* options are enabled. Optionally a lifetime in 
seconds\n"
+  "  for generated tokens can be set.\n"
   "--opt-verify: Clients that connect with options that are incompatible\n"
   "  with those of the server will be disconnected.\n"
   "--auth-user-pass-optional : Allow connections by clients that don't\n"
@@ -864,6 +869,7 @@ init_options (struct options *o, const bool init_gc)
 #ifdef ENABLE_PKCS11
   o->pkcs11_pin_cache_period = -1;
 #endif /* ENABLE_PKCS11 */
+  o->auth_generate_token = false;
 
 /* tmp is only used in P2MP server context */
 #if P2MP_SERVER
@@ -1264,6 +1270,8 @@ show_p2mp_parms (const struct options *o)
   SHOW_INT (max_routes_per_client);
   SHOW_STR (auth_user_pass_verify_script);
   SHOW_BOOL (auth_user_pass_verify_script_via_file);
+  SHOW_BOOL (auth_generate_token);
+  SHOW_INT (auth_token_lifetime);
 #if PORT_SHARE
   SHOW_STR (port_share_host);
   SHOW_STR (port_share_port);
@@ -2194,6 +2202,8 @@ options_postprocess_verify_ce (const struct options 
*options, const struct conne
  "tcp-nodelay in the server configuration instead.");
   if (options->auth_user_pass_verify_script)
msg (M_USAGE, "--auth-user-pass-verify requires --mode server");
+  if (options->auth_generate_token)
+   msg (M_USAGE, "--auth-gen-token requires --mode server");
 #if PORT_SHARE
   if (options->port_share_host || options->port_share_port)
msg (M_USAGE, "--port-share requires TCP server mode (--mode server 
--proto tcp-server)");
@@ -5973,6 +5983,12 @@ add_option (struct options *options,
   >auth_user_pass_verify_script,
   p[1], "auth-user-pass-verify", true);