Re: [Openvpn-users] Clarification on auth-gen-token and 2FA
On 27/01/17 08:27, Gert Doering wrote: > Hi, > > On Fri, Jan 27, 2017 at 12:02:21AM +0100, David Sommerseth wrote: >> On 26/01/17 19:45, Gert Doering wrote: >>> On Thu, Jan 26, 2017 at 07:36:32PM +0100, David Sommerseth wrote: Anyhow ... quick-fix/workaround: Don't use --auth-nocache >>> >>> What happens if you have --auth-nocache, the server sends a token, and >>> the token expires? Will the client get something back that it can >>> understand as "oh, I need to ask for a new password!"? >>> >>> (Sorry, I know I *should* have tested this long ago... :-) ) >> >> The when --auth-nocache is in use, the contents of password field in >> struct user_pass is wiped and later ignored, regardless if the server >> sent an --auth-token or not. > > Uh. My question did not make sense. Trying again: > > What happens if you do NOT have --auth-nocache, the server sends a token, > and the token expires? Will the client get something back that it can > understand as "oh, I need to ask for a new password!"? Ahh! Currently, the client will disconnect due to authentication failure. This is not optimal, and definitely not how I like it! But to fix that, a massive code refactoring is needed so that the AUTH_FAILED message needed to be sent with the proper "sub-code" which can be used on the client to ask for credentials again. I have already sent some patches to the devel ML, but those need to be improved a lot before getting ready for inclusion. On the other hand, this is not a very new issue actually. If external auth-plugins rejects an authentication, it is the same situation. -- kind regards, David Sommerseth OpenVPN Technologies, Inc signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Clarification on auth-gen-token and 2FA
Hi, On Fri, Jan 27, 2017 at 12:02:21AM +0100, David Sommerseth wrote: > On 26/01/17 19:45, Gert Doering wrote: > > On Thu, Jan 26, 2017 at 07:36:32PM +0100, David Sommerseth wrote: > >> Anyhow ... quick-fix/workaround: Don't use --auth-nocache > > > > What happens if you have --auth-nocache, the server sends a token, and > > the token expires? Will the client get something back that it can > > understand as "oh, I need to ask for a new password!"? > > > > (Sorry, I know I *should* have tested this long ago... :-) ) > > The when --auth-nocache is in use, the contents of password field in > struct user_pass is wiped and later ignored, regardless if the server > sent an --auth-token or not. Uh. My question did not make sense. Trying again: What happens if you do NOT have --auth-nocache, the server sends a token, and the token expires? Will the client get something back that it can understand as "oh, I need to ask for a new password!"? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Clarification on auth-gen-token and 2FA
Hi, On Thu, Jan 26, 2017 at 07:36:32PM +0100, David Sommerseth wrote: > Anyhow ... quick-fix/workaround: Don't use --auth-nocache What happens if you have --auth-nocache, the server sends a token, and the token expires? Will the client get something back that it can understand as "oh, I need to ask for a new password!"? (Sorry, I know I *should* have tested this long ago... :-) ) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Clarification on auth-gen-token and 2FA
Hi, On Wed, Jan 25, 2017 at 12:28:25PM -0800, Scott Crooks wrote: > 2. Does having `auth-nocache` on the client side conflict with > `auth-gen-token` ? Do I need to remove `auth-nocache` from the client side > to utilize the benefits of `auth-gen-token` ? As far as I understand (and I have not found time to actually *test* this new stuff for my own setups), you need to remove "auth-nocache". The token sent from the server effectively "un-caches" the username and password set by the user anyway, replacing it with the token. I'm not totally sure what happens when the token expires and the next renegotiation is due - will the client prompt, or just give up and disconnect. Definitely worth a test. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025g...@net.informatik.tu-muenchen.de signature.asc Description: PGP signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users