Opened 8 years ago
Closed 8 years ago
#747 closed Bug / Defect (notabug)
auth-user-pass-verify via-env password is not transfered to the script
Reported by: | lhejrovsky | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.2.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | password verify env empty |
Cc: |
Description
OpenVPN 2.3.12 x86_64-redhat-linux-gnu
When option auth-user-pass-verify via-env is used, I can print username, but password is empty.
openvpnserver.conf:
auth-user-pass-verify /etc/openvpn/LDAP/test.pl via-env
Example test script here:
#! /usr/bin/perl
my $u = $ENV{'username'};
my $p = $ENV{'password'};
print($u);
print($p);
Folowing script writes username to the openvpn log file, but password is not written. Apparently the variable $p is empty.
I know the password is passed from client to OpenVPN server fine, because I run succesfull test with "via-file" method, where both username and password were written to the temp file.
Change History (4)
comment:1 follow-up: 3 Changed 8 years ago by
comment:2 Changed 8 years ago by
Oh dear! You are totally right. I overlooked this option because on hundreds years old server I used before, it was not needed. Thank you so much!
comment:3 Changed 8 years ago by
Replying to syzzer:
Also note the potentially unsafe. So consider not passing the variable through the environment.
Some time ago, the only method authenticating against Active Directory I was able to make work was this with script "openvpn-super.pl".
Is there better way now?
comment:4 Changed 8 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
Well, the man page explains:
--auth-user-pass-verify cmd method [...] If method is set to "via-file", OpenVPN will write the username and password to the first two lines of a temporary file. The filename will be passed as an argument to script, and the file will be automatically deleted by OpenVPN after the script returns. The location of the temporary file is controlled by the --tmp-dir option, and will default to the current directory if unspecified. For security, consider setting --tmp-dir to a volatile storage medium such as /dev/shm (if available) to pre‐ vent the username/password file from touching the hard drive.
So, change 'method' to via-file
, and change the script to read the username and password from the file.
I'm closing this ticket now, as it's not a bug.
Did you set
--script-security 3
?From the man page:
Also note the potentially unsafe. So consider not passing the variable through the environment.