| 5104 | <P> |
| 5105 | Additionally, to allow for more smooth transition, if NCP is enabled, OpenVPN |
| 5106 | will inherit the cipher of the peer if that cipher is different from the local |
| 5107 | <B>--cipher</B> |
| 5108 | |
| 5109 | setting, but the peer cipher is one of the ciphers specified in |
| 5110 | <B>--ncp-ciphers</B>. |
| 5111 | |
| 5112 | E.g. a non-NCP client (<=2.3, or with --ncp-disabled set) connecting to a |
| 5113 | NCP server (2.4+) with "--cipher BF-CBC" and "--ncp-ciphers |
| 5114 | AES-256-GCM:AES-256-CBC" set can either specify "--cipher BF-CBC" or |
| 5115 | "--cipher AES-256-CBC" and both will work. |
| 6213 | <DT><B>--auth-token token</B> |
| 6214 | |
| 6215 | <DD> |
| 6216 | This is not an option to be used directly in any configuration files, |
| 6217 | but rather push this option from a |
| 6218 | <B>--client-connect</B> |
| 6219 | |
| 6220 | script or a |
| 6221 | <B>--plugin</B> |
| 6222 | |
| 6223 | which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or |
| 6224 | OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides |
| 6225 | a possibility to replace the clients password with an authentication |
| 6226 | token during the lifetime of the OpenVPN client. |
| 6227 | <P> |
| 6228 | Whenever the connection is renegotiated and the |
| 6229 | <B>--auth-user-pass-verify</B> |
| 6230 | |
| 6231 | script or |
| 6232 | <B>--plugin</B> |
| 6233 | |
| 6234 | making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is |
| 6235 | triggered, it will pass over this token as the password |
| 6236 | instead of the password the user provided. The authentication |
| 6237 | token can only be reset by a full reconnect where the server |
| 6238 | can push new options to the client. The password the user entered |
| 6239 | is never preserved once an authentication token have been set. If |
| 6240 | the OpenVPN server side rejects the authentication token, the |
| 6241 | client will receive an AUTH_FAIL and disconnect. |
| 6242 | <P> |
| 6243 | The purpose of this is to enable two factor authentication |
| 6244 | methods, such as HOTP or TOTP, to be used without needing to |
| 6245 | retrieve a new OTP code each time the connection is renegotiated. |
| 6246 | Another use case is to cache authentication data on the client |
| 6247 | without needing to have the users password cached in memory |
| 6248 | during the life time of the session. |
| 6249 | <P> |
| 6250 | To make use of this feature, the |
| 6251 | <B>--client-connect</B> |
| 6252 | |
| 6253 | script or |
| 6254 | <B>--plugin</B> |
| 6255 | |
| 6256 | needs to put |
| 6257 | <P> |
| 6258 | <PRE> |
| 6259 | <B>push "auth-token UNIQUE_TOKEN_VALUE" |
| 6260 | </B></PRE> |
| 6261 | |
| 6262 | <P> |
| 6263 | into the file/buffer for dynamic configuration data. This |
| 6264 | will then make the OpenVPN server to push this value to the |
| 6265 | client, which replaces the local password with the |
| 6266 | UNIQUE_TOKEN_VALUE. |
| 6267 | |