In their IRC chat they said this was a plugin problem which is why I posted here instead of their trac.
I did post a similar issue because I was going to attempt to use the auth-user-pass-verify script in the meantime to perform this validation but the script is not passed enough of the certificate to do validation unless the username is contained in the subject (it is in the san for my certificates). Here is that link: https://community.openvpn.net/openvpn/ticket/717#no4 I would guess if the radius plugin has access to the certificate it should be trivial to expose opt in validation logic that wouldn't be backwards incompatible. A simple field matching would probably cover most use cases. It seems like opt out would be better since the current implementation seems like a security risk but perhaps backwards compatibility is more important. ** Bug watch added: community.openvpn.net/openvpn/ #717 https://community.openvpn.net/openvpn/ticket/717 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1607055 Title: user can log in with username/password that does not match certificate presented To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn-auth-radius/+bug/1607055/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
