Re: [Openvpn-devel] [PATCH v2] Clarify and expand management interface documentation
Hi,
Thanks for the v2.
On Wed, Aug 8, 2018 at 7:35 AM, Jonathan K. Bullard via Openvpn-devel
wrote:
> Clarify and expand the documentation for the management interface:
>
> * Add examples of static and dynamic challenge/response sequences in
> the "COMMAND -- password and username" section.
>
> * Expand the "Challenge/Response" section with more detail.
>
> * Use "management interface client" throughout (instead of "management
> client", which was used in several places previously).
>
> * Clarify when both a username and password are needed, not just a
> username or a password.
>
> * Clarify that an exit with a fatal error for a dynamic C/R will occur
> only if "--auth-retry none" (the default) is in effect.
>
> * Fix a typo. ("posesses" => "possesses").
>
> Signed-off-by: Jonathan K. Bullard
> ---
> v2:
> * Incorporate Selva Nair’s suggestions (thanks!).
> * Remove incorrect quotes in Example 8.
> * Use "base 64" throughout instead of "base64".
>
> doc/management-notes.txt | 232
> ---
> 1 file changed, 159 insertions(+), 73 deletions(-)
Looks good now.
The typo pointed out by tincanteksup is not a fault of this patch
but this may be a good time to fix it -- could be done at merge time?
On line 143 of doc/management-notes.txt after applying this patch:
managment --> management
Acked-by: selva.n...@gmail.com
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Clarify and expand management interface documentation
Hi,
I have had my arm twisted into doing some spell checking of docs.
There is one spelling error (an old over looked one)
which you could fix with this patch. (inline)
On 08/08/18 12:35, Jonathan K. Bullard via Openvpn-devel wrote:
Clarify and expand the documentation for the management interface:
* Add examples of static and dynamic challenge/response sequences in
the "COMMAND -- password and username" section.
* Expand the "Challenge/Response" section with more detail.
* Use "management interface client" throughout (instead of "management
client", which was used in several places previously).
* Clarify when both a username and password are needed, not just a
username or a password.
* Clarify that an exit with a fatal error for a dynamic C/R will occur
only if "--auth-retry none" (the default) is in effect.
* Fix a typo. ("posesses" => "possesses").
Signed-off-by: Jonathan K. Bullard
---
v2:
* Incorporate Selva Nair’s suggestions (thanks!).
* Remove incorrect quotes in Example 8.
* Use "base 64" throughout instead of "base64".
doc/management-notes.txt | 232 ---
1 file changed, 159 insertions(+), 73 deletions(-)
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index 96470d0..3935715 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -12,7 +12,8 @@ as a client or server.
The management interface is implemented using a client/server TCP
connection or unix domain socket where OpenVPN will listen on a
-provided IP address and port for incoming management client connections.
+provided IP address and port for incoming management interface client
+connections.
The management protocol is currently cleartext without an explicit
security layer. For this reason, it is recommended that the
@@ -104,7 +105,7 @@ be in the list, and it will cause the management interface
to save the "forget-passwords" string in its list of echo
parameters.
-The management client can use "echo all" to output the full
+The management interface client can use "echo all" to output the full
list of echoed parameters, "echo on" to turn on real-time
notification of echoed parameters via the ">ECHO:" prefix,
or "echo off" to turn off real-time notification.
@@ -118,10 +119,10 @@ like this:
Essentially the echo command allowed us to pass parameters from
the OpenVPN server to the OpenVPN client, and then to the
-management client (such as a GUI). The large integer is the
+management interface client (such as a GUI). The large integer is the
unix date/time when the echo parameter was received.
-If the management client had issued the command "echo on",
+If the management interface client had issued the command "echo on",
it would have enabled real-time notifications of echo
parameters. In this case, our "forget-passwords" message
would be output like this:
@@ -141,8 +142,8 @@ COMMAND -- exit, quit
Close the managment session, and resume listening on the
managment --> management
management port for connections from other clients. Currently,
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] Clarify and expand management interface documentation
Clarify and expand the documentation for the management interface:
* Add examples of static and dynamic challenge/response sequences in
the "COMMAND -- password and username" section.
* Expand the "Challenge/Response" section with more detail.
* Use "management interface client" throughout (instead of "management
client", which was used in several places previously).
* Clarify when both a username and password are needed, not just a
username or a password.
* Clarify that an exit with a fatal error for a dynamic C/R will occur
only if "--auth-retry none" (the default) is in effect.
* Fix a typo. ("posesses" => "possesses").
Signed-off-by: Jonathan K. Bullard
---
v2:
* Incorporate Selva Nair’s suggestions (thanks!).
* Remove incorrect quotes in Example 8.
* Use "base 64" throughout instead of "base64".
doc/management-notes.txt | 232 ---
1 file changed, 159 insertions(+), 73 deletions(-)
diff --git a/doc/management-notes.txt b/doc/management-notes.txt
index 96470d0..3935715 100644
--- a/doc/management-notes.txt
+++ b/doc/management-notes.txt
@@ -12,7 +12,8 @@ as a client or server.
The management interface is implemented using a client/server TCP
connection or unix domain socket where OpenVPN will listen on a
-provided IP address and port for incoming management client connections.
+provided IP address and port for incoming management interface client
+connections.
The management protocol is currently cleartext without an explicit
security layer. For this reason, it is recommended that the
@@ -104,7 +105,7 @@ be in the list, and it will cause the management interface
to save the "forget-passwords" string in its list of echo
parameters.
-The management client can use "echo all" to output the full
+The management interface client can use "echo all" to output the full
list of echoed parameters, "echo on" to turn on real-time
notification of echoed parameters via the ">ECHO:" prefix,
or "echo off" to turn off real-time notification.
@@ -118,10 +119,10 @@ like this:
Essentially the echo command allowed us to pass parameters from
the OpenVPN server to the OpenVPN client, and then to the
-management client (such as a GUI). The large integer is the
+management interface client (such as a GUI). The large integer is the
unix date/time when the echo parameter was received.
-If the management client had issued the command "echo on",
+If the management interface client had issued the command "echo on",
it would have enabled real-time notifications of echo
parameters. In this case, our "forget-passwords" message
would be output like this:
@@ -141,8 +142,8 @@ COMMAND -- exit, quit
Close the managment session, and resume listening on the
management port for connections from other clients. Currently,
-the OpenVPN daemon can at most support a single management client
-any one time.
+the OpenVPN daemon can at most support a single management interface
+client any one time.
COMMAND -- help
---
@@ -167,7 +168,7 @@ The hold flag setting is persistent and will not
be reset by restarts.
OpenVPN will indicate that it is in a hold state by
-sending a real-time notification to the management
+sending a real-time notification to the management interface
client, the parameter indicates how long OpenVPN would
wait without UI (as influenced by connect-retry exponential
backoff). The UI needs to wait for releasing the hold if it
@@ -275,7 +276,7 @@ COMMAND -- password and username
OpenVPN is indicating that it needs a password of type
"Private Key".
- The management client should respond to this query as follows:
+ The management interface client should respond as follows:
password "Private Key" foo
@@ -283,8 +284,8 @@ COMMAND -- password and username
>PASSWORD:Need 'Auth' username/password
- OpenVPN needs a --auth-user-pass password. The management
- client should respond:
+ OpenVPN needs a --auth-user-pass username and password. The
+ management interface client should respond:
username "Auth" foo
password "Auth" bar
@@ -307,7 +308,8 @@ COMMAND -- password and username
>PASSWORD:Verification Failed: 'Private Key'
Example 4: The --auth-user-pass username/password failed,
- and OpenVPN is exiting:
+ and OpenVPN will exit with a fatal error if '--auth-retry none'
+ (which is the default) is in effect:
>PASSWORD:Verification Failed: 'Auth'
@@ -322,6 +324,37 @@ COMMAND -- password and username
>PASSWORD:Auth-Token:foobar
+ Example 7: Static challenge/response:
+
+>PASSWORD:Need 'Auth' username/password SC:1,Please enter token PIN
+
+ OpenVPN needs an --auth-user-pass username and password and the
+ response to a challenge. The user's response to "Please enter
+ token PIN" should be obtained and included in the management
+ interface client's response along with the username and password
+ formatted as described in the Challenge/Response Protocol section
+ below.
