Re: [Openvpn-devel] [PATCH v2] Clarify and expand management interface documentation
Hi, Thanks for the v2. On Wed, Aug 8, 2018 at 7:35 AM, Jonathan K. Bullard via Openvpn-devel wrote: > Clarify and expand the documentation for the management interface: > > * Add examples of static and dynamic challenge/response sequences in > the "COMMAND -- password and username" section. > > * Expand the "Challenge/Response" section with more detail. > > * Use "management interface client" throughout (instead of "management > client", which was used in several places previously). > > * Clarify when both a username and password are needed, not just a > username or a password. > > * Clarify that an exit with a fatal error for a dynamic C/R will occur > only if "--auth-retry none" (the default) is in effect. > > * Fix a typo. ("posesses" => "possesses"). > > Signed-off-by: Jonathan K. Bullard > --- > v2: > * Incorporate Selva Nair’s suggestions (thanks!). > * Remove incorrect quotes in Example 8. > * Use "base 64" throughout instead of "base64". > > doc/management-notes.txt | 232 > --- > 1 file changed, 159 insertions(+), 73 deletions(-) Looks good now. The typo pointed out by tincanteksup is not a fault of this patch but this may be a good time to fix it -- could be done at merge time? On line 143 of doc/management-notes.txt after applying this patch: managment --> management Acked-by: selva.n...@gmail.com -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v2] Clarify and expand management interface documentation
Hi, I have had my arm twisted into doing some spell checking of docs. There is one spelling error (an old over looked one) which you could fix with this patch. (inline) On 08/08/18 12:35, Jonathan K. Bullard via Openvpn-devel wrote: Clarify and expand the documentation for the management interface: * Add examples of static and dynamic challenge/response sequences in the "COMMAND -- password and username" section. * Expand the "Challenge/Response" section with more detail. * Use "management interface client" throughout (instead of "management client", which was used in several places previously). * Clarify when both a username and password are needed, not just a username or a password. * Clarify that an exit with a fatal error for a dynamic C/R will occur only if "--auth-retry none" (the default) is in effect. * Fix a typo. ("posesses" => "possesses"). Signed-off-by: Jonathan K. Bullard --- v2: * Incorporate Selva Nair’s suggestions (thanks!). * Remove incorrect quotes in Example 8. * Use "base 64" throughout instead of "base64". doc/management-notes.txt | 232 --- 1 file changed, 159 insertions(+), 73 deletions(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 96470d0..3935715 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -12,7 +12,8 @@ as a client or server. The management interface is implemented using a client/server TCP connection or unix domain socket where OpenVPN will listen on a -provided IP address and port for incoming management client connections. +provided IP address and port for incoming management interface client +connections. The management protocol is currently cleartext without an explicit security layer. For this reason, it is recommended that the @@ -104,7 +105,7 @@ be in the list, and it will cause the management interface to save the "forget-passwords" string in its list of echo parameters. -The management client can use "echo all" to output the full +The management interface client can use "echo all" to output the full list of echoed parameters, "echo on" to turn on real-time notification of echoed parameters via the ">ECHO:" prefix, or "echo off" to turn off real-time notification. @@ -118,10 +119,10 @@ like this: Essentially the echo command allowed us to pass parameters from the OpenVPN server to the OpenVPN client, and then to the -management client (such as a GUI). The large integer is the +management interface client (such as a GUI). The large integer is the unix date/time when the echo parameter was received. -If the management client had issued the command "echo on", +If the management interface client had issued the command "echo on", it would have enabled real-time notifications of echo parameters. In this case, our "forget-passwords" message would be output like this: @@ -141,8 +142,8 @@ COMMAND -- exit, quit Close the managment session, and resume listening on the managment --> management management port for connections from other clients. Currently, -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v2] Clarify and expand management interface documentation
Clarify and expand the documentation for the management interface: * Add examples of static and dynamic challenge/response sequences in the "COMMAND -- password and username" section. * Expand the "Challenge/Response" section with more detail. * Use "management interface client" throughout (instead of "management client", which was used in several places previously). * Clarify when both a username and password are needed, not just a username or a password. * Clarify that an exit with a fatal error for a dynamic C/R will occur only if "--auth-retry none" (the default) is in effect. * Fix a typo. ("posesses" => "possesses"). Signed-off-by: Jonathan K. Bullard --- v2: * Incorporate Selva Nair’s suggestions (thanks!). * Remove incorrect quotes in Example 8. * Use "base 64" throughout instead of "base64". doc/management-notes.txt | 232 --- 1 file changed, 159 insertions(+), 73 deletions(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 96470d0..3935715 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -12,7 +12,8 @@ as a client or server. The management interface is implemented using a client/server TCP connection or unix domain socket where OpenVPN will listen on a -provided IP address and port for incoming management client connections. +provided IP address and port for incoming management interface client +connections. The management protocol is currently cleartext without an explicit security layer. For this reason, it is recommended that the @@ -104,7 +105,7 @@ be in the list, and it will cause the management interface to save the "forget-passwords" string in its list of echo parameters. -The management client can use "echo all" to output the full +The management interface client can use "echo all" to output the full list of echoed parameters, "echo on" to turn on real-time notification of echoed parameters via the ">ECHO:" prefix, or "echo off" to turn off real-time notification. @@ -118,10 +119,10 @@ like this: Essentially the echo command allowed us to pass parameters from the OpenVPN server to the OpenVPN client, and then to the -management client (such as a GUI). The large integer is the +management interface client (such as a GUI). The large integer is the unix date/time when the echo parameter was received. -If the management client had issued the command "echo on", +If the management interface client had issued the command "echo on", it would have enabled real-time notifications of echo parameters. In this case, our "forget-passwords" message would be output like this: @@ -141,8 +142,8 @@ COMMAND -- exit, quit Close the managment session, and resume listening on the management port for connections from other clients. Currently, -the OpenVPN daemon can at most support a single management client -any one time. +the OpenVPN daemon can at most support a single management interface +client any one time. COMMAND -- help --- @@ -167,7 +168,7 @@ The hold flag setting is persistent and will not be reset by restarts. OpenVPN will indicate that it is in a hold state by -sending a real-time notification to the management +sending a real-time notification to the management interface client, the parameter indicates how long OpenVPN would wait without UI (as influenced by connect-retry exponential backoff). The UI needs to wait for releasing the hold if it @@ -275,7 +276,7 @@ COMMAND -- password and username OpenVPN is indicating that it needs a password of type "Private Key". - The management client should respond to this query as follows: + The management interface client should respond as follows: password "Private Key" foo @@ -283,8 +284,8 @@ COMMAND -- password and username >PASSWORD:Need 'Auth' username/password - OpenVPN needs a --auth-user-pass password. The management - client should respond: + OpenVPN needs a --auth-user-pass username and password. The + management interface client should respond: username "Auth" foo password "Auth" bar @@ -307,7 +308,8 @@ COMMAND -- password and username >PASSWORD:Verification Failed: 'Private Key' Example 4: The --auth-user-pass username/password failed, - and OpenVPN is exiting: + and OpenVPN will exit with a fatal error if '--auth-retry none' + (which is the default) is in effect: >PASSWORD:Verification Failed: 'Auth' @@ -322,6 +324,37 @@ COMMAND -- password and username >PASSWORD:Auth-Token:foobar + Example 7: Static challenge/response: + +>PASSWORD:Need 'Auth' username/password SC:1,Please enter token PIN + + OpenVPN needs an --auth-user-pass username and password and the + response to a challenge. The user's response to "Please enter + token PIN" should be obtained and included in the management + interface client's response along with the username and password + formatted as described in the Challenge/Response Protocol section + below.