Re: [Openvpn-devel] [PATCH 2/5] auth-gen-token: Add --auth-gen-token option
On 13-10-16 21:59, David Sommerseth wrote: > This sets the flag if the OpenVPN server should create authentication > tokens on-the-fly on successful --auth-user-pass-verify or --plugin with > OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY processing. > > If an OpenVPN server is running without this option, it should behave > as before. Next patches will implement the auth-token generation and > passing it on to the clients. > > The --auth-gen-token can be given an optional integer argument which > defines the lifetime of generated tokens. The lifetime argument > must be given in number of seconds. > > Signed-off-by: David Sommerseth> --- > doc/openvpn.8| 16 > src/openvpn/init.c | 2 ++ > src/openvpn/options.c| 16 > src/openvpn/options.h| 2 ++ > src/openvpn/ssl_common.h | 3 +++ > 5 files changed, 39 insertions(+) > > diff --git a/doc/openvpn.8 b/doc/openvpn.8 > index 1c341ae..521bd9b 100644 > --- a/doc/openvpn.8 > +++ b/doc/openvpn.8 > @@ -3595,6 +3595,22 @@ For a sample script that performs PAM authentication, > see > in the OpenVPN source distribution. > .\"* > .TP > +.B \-\-auth\-gen\-token [lifetime] > +After successful user/password authentication, the OpenVPN > +server will with this option generate a temporary > +authentication token and push that to client. On the following > +renegotiations, the OpenVPN client will pass this token instead > +of the users password. On the server side the server will do > +the token authentication internally and it will NOT do any > +additional authentications against configured external > +user/password authentication mechanisms. This should mention that a lifetime of 0 indicates 'never expires'. > +This feature is useful for environments which is configured > +to use One Time Passwords (OTP) as part of the user/password > +authentications and that authentication mechanism does not > +implement any auth-token support. > +.\"* > +.TP > .B \-\-opt\-verify > Clients that connect with options that are incompatible > with those of the server will be disconnected. > diff --git a/src/openvpn/init.c b/src/openvpn/init.c > index cc8e945..5a8cb1f 100644 > --- a/src/openvpn/init.c > +++ b/src/openvpn/init.c > @@ -2427,6 +2427,8 @@ do_init_crypto_tls (struct context *c, const unsigned > int flags) >if (options->ccd_exclusive) > to.client_config_dir_exclusive = options->client_config_dir; >to.auth_user_pass_file = options->auth_user_pass_file; > + to.auth_generate_token = options->auth_generate_token; > + to.auth_token_lifetime = options->auth_token_lifetime; > #endif > >to.x509_track = options->x509_track; > diff --git a/src/openvpn/options.c b/src/openvpn/options.c > index 1ed14b0..1037619 100644 > --- a/src/openvpn/options.c > +++ b/src/openvpn/options.c > @@ -445,6 +445,11 @@ static const char usage_message[] = >" run command cmd to verify. If method='via-env', pass\n" >" user/pass via environment, if method='via-file', pass\n" >" user/pass via temporary file.\n" > + "--auth-gen-token [lifetime] Generate a random authentication token which > is pushed\n" > + " to each client, replacing the password. Usefull when\n" > + " OTP based two-factor auth mechanisms are in use and\n" > + " --reneg-* options are enabled. Optionally a lifetime in > seconds\n" > + " for generated tokens can be set.\n" >"--opt-verify: Clients that connect with options that are > incompatible\n" >" with those of the server will be disconnected.\n" >"--auth-user-pass-optional : Allow connections by clients that don't\n" > @@ -864,6 +869,7 @@ init_options (struct options *o, const bool init_gc) > #ifdef ENABLE_PKCS11 >o->pkcs11_pin_cache_period = -1; > #endif /* ENABLE_PKCS11 */ > + o->auth_generate_token = false; > > /* tmp is only used in P2MP server context */ > #if P2MP_SERVER > @@ -1264,6 +1270,8 @@ show_p2mp_parms (const struct options *o) >SHOW_INT (max_routes_per_client); >SHOW_STR (auth_user_pass_verify_script); >SHOW_BOOL (auth_user_pass_verify_script_via_file); > + SHOW_BOOL (auth_generate_token); > + SHOW_INT (auth_token_lifetime); > #if PORT_SHARE >SHOW_STR (port_share_host); >SHOW_STR (port_share_port); > @@ -2194,6 +2202,8 @@ options_postprocess_verify_ce (const struct options > *options, const struct conne > "tcp-nodelay in the server configuration instead."); >if (options->auth_user_pass_verify_script) > msg (M_USAGE, "--auth-user-pass-verify requires --mode server"); > + if (options->auth_generate_token) > + msg (M_USAGE, "--auth-gen-token requires --mode server"); > #if PORT_SHARE >if
[Openvpn-devel] [PATCH 2/5] auth-gen-token: Add --auth-gen-token option
This sets the flag if the OpenVPN server should create authentication tokens on-the-fly on successful --auth-user-pass-verify or --plugin with OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY processing. If an OpenVPN server is running without this option, it should behave as before. Next patches will implement the auth-token generation and passing it on to the clients. The --auth-gen-token can be given an optional integer argument which defines the lifetime of generated tokens. The lifetime argument must be given in number of seconds. Signed-off-by: David Sommerseth--- doc/openvpn.8| 16 src/openvpn/init.c | 2 ++ src/openvpn/options.c| 16 src/openvpn/options.h| 2 ++ src/openvpn/ssl_common.h | 3 +++ 5 files changed, 39 insertions(+) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 1c341ae..521bd9b 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3595,6 +3595,22 @@ For a sample script that performs PAM authentication, see in the OpenVPN source distribution. .\"* .TP +.B \-\-auth\-gen\-token [lifetime] +After successful user/password authentication, the OpenVPN +server will with this option generate a temporary +authentication token and push that to client. On the following +renegotiations, the OpenVPN client will pass this token instead +of the users password. On the server side the server will do +the token authentication internally and it will NOT do any +additional authentications against configured external +user/password authentication mechanisms. + +This feature is useful for environments which is configured +to use One Time Passwords (OTP) as part of the user/password +authentications and that authentication mechanism does not +implement any auth-token support. +.\"* +.TP .B \-\-opt\-verify Clients that connect with options that are incompatible with those of the server will be disconnected. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index cc8e945..5a8cb1f 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2427,6 +2427,8 @@ do_init_crypto_tls (struct context *c, const unsigned int flags) if (options->ccd_exclusive) to.client_config_dir_exclusive = options->client_config_dir; to.auth_user_pass_file = options->auth_user_pass_file; + to.auth_generate_token = options->auth_generate_token; + to.auth_token_lifetime = options->auth_token_lifetime; #endif to.x509_track = options->x509_track; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1ed14b0..1037619 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -445,6 +445,11 @@ static const char usage_message[] = " run command cmd to verify. If method='via-env', pass\n" " user/pass via environment, if method='via-file', pass\n" " user/pass via temporary file.\n" + "--auth-gen-token [lifetime] Generate a random authentication token which is pushed\n" + " to each client, replacing the password. Usefull when\n" + " OTP based two-factor auth mechanisms are in use and\n" + " --reneg-* options are enabled. Optionally a lifetime in seconds\n" + " for generated tokens can be set.\n" "--opt-verify: Clients that connect with options that are incompatible\n" " with those of the server will be disconnected.\n" "--auth-user-pass-optional : Allow connections by clients that don't\n" @@ -864,6 +869,7 @@ init_options (struct options *o, const bool init_gc) #ifdef ENABLE_PKCS11 o->pkcs11_pin_cache_period = -1; #endif /* ENABLE_PKCS11 */ + o->auth_generate_token = false; /* tmp is only used in P2MP server context */ #if P2MP_SERVER @@ -1264,6 +1270,8 @@ show_p2mp_parms (const struct options *o) SHOW_INT (max_routes_per_client); SHOW_STR (auth_user_pass_verify_script); SHOW_BOOL (auth_user_pass_verify_script_via_file); + SHOW_BOOL (auth_generate_token); + SHOW_INT (auth_token_lifetime); #if PORT_SHARE SHOW_STR (port_share_host); SHOW_STR (port_share_port); @@ -2194,6 +2202,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne "tcp-nodelay in the server configuration instead."); if (options->auth_user_pass_verify_script) msg (M_USAGE, "--auth-user-pass-verify requires --mode server"); + if (options->auth_generate_token) + msg (M_USAGE, "--auth-gen-token requires --mode server"); #if PORT_SHARE if (options->port_share_host || options->port_share_port) msg (M_USAGE, "--port-share requires TCP server mode (--mode server --proto tcp-server)"); @@ -5973,6 +5983,12 @@ add_option (struct options *options, >auth_user_pass_verify_script, p[1], "auth-user-pass-verify", true);