Opened 8 years ago
Closed 8 years ago
#747 closed Bug / Defect (notabug)
auth-user-pass-verify via-env password is not transfered to the script
| Reported by: | lhejrovsky | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Generic / unclassified | Version: | OpenVPN 2.2.2 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | password verify env empty |
| Cc: |
Description
OpenVPN 2.3.12 x86_64-redhat-linux-gnu
When option auth-user-pass-verify via-env is used, I can print username, but password is empty.
openvpnserver.conf:
auth-user-pass-verify /etc/openvpn/LDAP/test.pl via-env
Example test script here:
#! /usr/bin/perl
my $u = $ENV{'username'};
my $p = $ENV{'password'};
print($u);
print($p);
Folowing script writes username to the openvpn log file, but password is not written. Apparently the variable $p is empty.
I know the password is passed from client to OpenVPN server fine, because I run succesfull test with "via-file" method, where both username and password were written to the temp file.
Change History (4)
comment:1 follow-up: 3 Changed 8 years ago by
comment:2 Changed 8 years ago by
Oh dear! You are totally right. I overlooked this option because on hundreds years old server I used before, it was not needed. Thank you so much!
comment:3 Changed 8 years ago by
Replying to syzzer:
Also note the potentially unsafe. So consider not passing the variable through the environment.
Some time ago, the only method authenticating against Active Directory I was able to make work was this with script "openvpn-super.pl".
Is there better way now?
comment:4 Changed 8 years ago by
| Resolution: | → notabug |
|---|---|
| Status: | new → closed |
Well, the man page explains:
--auth-user-pass-verify cmd method
[...]
If method is set to "via-file", OpenVPN will write the username
and password to the first two lines of a temporary file. The
filename will be passed as an argument to script, and the file
will be automatically deleted by OpenVPN after the script
returns. The location of the temporary file is controlled by
the --tmp-dir option, and will default to the current directory
if unspecified. For security, consider setting --tmp-dir to a
volatile storage medium such as /dev/shm (if available) to pre‐
vent the username/password file from touching the hard drive.
So, change 'method' to via-file, and change the script to read the username and password from the file.
I'm closing this ticket now, as it's not a bug.
Did you set
--script-security 3?From the man page:
--script-security level This directive offers policy-level control over OpenVPN's usage of external programs and scripts. Lower level values are more restrictive, higher values are more permissive. Settings for level: 0 -- Strictly no calling of external programs. 1 -- (Default) Only call built-in executables such as ifconfig, ip, route, or netsh. 2 -- Allow calling of built-in executables and user-defined scripts. 3 -- Allow passwords to be passed to scripts via environmental variables (potentially unsafe).Also note the potentially unsafe. So consider not passing the variable through the environment.