Opened 4 years ago

Closed 4 years ago

#747 closed Bug / Defect (notabug)

auth-user-pass-verify via-env password is not transfered to the script

Reported by: lhejrovsky Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.2.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: password verify env empty
Cc:

Description

OpenVPN 2.3.12 x86_64-redhat-linux-gnu
When option auth-user-pass-verify via-env is used, I can print username, but password is empty.

openvpnserver.conf:
auth-user-pass-verify /etc/openvpn/LDAP/test.pl via-env

Example test script here:


#! /usr/bin/perl

my $u = $ENV{'username'};
my $p = $ENV{'password'};
print($u);
print($p);


Folowing script writes username to the openvpn log file, but password is not written. Apparently the variable $p is empty.

I know the password is passed from client to OpenVPN server fine, because I run succesfull test with "via-file" method, where both username and password were written to the temp file.

Change History (4)

comment:1 Changed 4 years ago by Steffan Karger

Did you set --script-security 3?

From the man page:

      --script-security level
              This directive offers policy-level control over OpenVPN's  usage
              of  external  programs and scripts.  Lower level values are more
              restrictive, higher values are more  permissive.   Settings  for
              level:

              0 -- Strictly no calling of external programs.
              1  -- (Default) Only call built-in executables such as ifconfig,
              ip, route, or netsh.
              2 -- Allow calling  of  built-in  executables  and  user-defined
              scripts.
              3  --  Allow passwords to be passed to scripts via environmental
              variables (potentially unsafe).

Also note the potentially unsafe. So consider not passing the variable through the environment.

comment:2 Changed 4 years ago by lhejrovsky

Oh dear! You are totally right. I overlooked this option because on hundreds years old server I used before, it was not needed. Thank you so much!

comment:3 in reply to:  1 Changed 4 years ago by lhejrovsky

Replying to syzzer:

Also note the potentially unsafe. So consider not passing the variable through the environment.

Some time ago, the only method authenticating against Active Directory I was able to make work was this with script "openvpn-super.pl".
Is there better way now?

comment:4 Changed 4 years ago by Steffan Karger

Resolution: notabug
Status: newclosed

Well, the man page explains:

       --auth-user-pass-verify cmd method
              [...]

              If  method is set to "via-file", OpenVPN will write the username
              and password to the first two lines of a  temporary  file.   The
              filename  will  be passed as an argument to script, and the file
              will be  automatically  deleted  by  OpenVPN  after  the  script
              returns.   The  location  of the temporary file is controlled by
              the --tmp-dir option, and will default to the current  directory
              if  unspecified.   For security, consider setting --tmp-dir to a
              volatile storage medium such as /dev/shm (if available) to  pre‐
              vent the username/password file from touching the hard drive.

So, change 'method' to via-file, and change the script to read the username and password from the file.

I'm closing this ticket now, as it's not a bug.

Note: See TracTickets for help on using tickets.