Re: [Openvpn-devel] Is auth-nocache broken?
Hi, On Wed, Oct 19, 2022 at 4:56 PM Gert Doering wrote: > Hi, > > On Wed, Oct 19, 2022 at 02:33:27PM -0400, Selva Nair wrote: > > Using --auth-user-pass, --auth-nocache and --reneg-sec , > no > > auth-tokens in use, I see that username/password is prompted on the first > > connection attempt and at first renegotiation. After that reneg completes > > without prompting for user/pass. > > It's possibly we broke that by trying to repair all the corner cases > with either pushing tokens from the server, or *not* using auth-nocache. > > I assume you tested with master? > > (Unfortunately my automated tests all use "username + passwords are > coming from a file", which means "send the same one as before" and > "go read the file again" both produce the same effect... having > a management-interface driven client test would help here... no > time yet to write one) This is broken for a while now -- since commit dfd624b52bce7ddd0eeaab516df9848e432f3242 (*2.4 and 2.5 are also affected*) That commit changed the earlier delayed purge logic to -if (!auth_user_pass.wait_for_push) +if (!session->opt->pull) { purge_user_pass(_user_pass, false); } In clients that pull, "wait_push" used to be set to false on completing the first negotiation, but after this change we are not purging user/pass at all at this point. Purging still happens on first negotiation in "set_auth_token()" as before, but that will not get called during renegs unless auth-token is in use and a new token gets pushed after expiry. Not clearing the username has been rejected in the past although, somehow, retaining it with the token has been found acceptable. Instead, we went for a convoluted logic that has proven itself to be hard to get right. A compromise is to continue to clear username in the auth_user_pass struct for appearances sake (for nocache contract), but always retain it in the auth_token struct.That would considerably simplify the logic as well (see e.g., https://github.com/selvanair/openvpn/commit/e9bf3c8227e365099deaadc11d31ac8a0c7668d7 ) Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Is auth-nocache broken?
Hi, On Wed, Oct 19, 2022 at 02:33:27PM -0400, Selva Nair wrote: > Using --auth-user-pass, --auth-nocache and --reneg-sec , no > auth-tokens in use, I see that username/password is prompted on the first > connection attempt and at first renegotiation. After that reneg completes > without prompting for user/pass. It's possibly we broke that by trying to repair all the corner cases with either pushing tokens from the server, or *not* using auth-nocache. I assume you tested with master? (Unfortunately my automated tests all use "username + passwords are coming from a file", which means "send the same one as before" and "go read the file again" both produce the same effect... having a management-interface driven client test would help here... no time yet to write one) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] Is auth-nocache broken?
> > After reneg, the client progresses beyond AUTH state (as reported on Trac > #1471 ( https://community.openvpn.net/openvpn/ticket/1471) which may be > related. Unless it has been like this all along. > Please Ignore that comment -- Trac# 1471 is a special case and may not be related at all. In this case there is not state stuck at AUTH issue -- just password does not get purged. Selva > ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] Is auth-nocache broken?
Hi, Using --auth-user-pass, --auth-nocache and --reneg-sec , no auth-tokens in use, I see that username/password is prompted on the first connection attempt and at first renegotiation. After that reneg completes without prompting for user/pass. Looking at the server it shows the previously entered password is passed in.So auth-nocache is no longer effective after the first renegotiation? A log snippet using a local build that also prints when purge_user_pass() and get_user_pass_cr() are entered is attached. After reneg, the client progresses beyond AUTH state (as reported on Trac #1471 ( https://community.openvpn.net/openvpn/ticket/1471) which may be related. Unless it has been like this all along. Selva nocache.log Description: Binary data ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel