#904 closed Bug / Defect (fixed)
auth-tokens are purged if auth-nocache is set
| Reported by: | crcinau | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | release 2.4.4 |
| Component: | Management | Version: | OpenVPN 2.4.2 (Community Ed) |
| Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
| Cc: |
Description
When attempting to connect using a One Time Password, it is supported that the server pushes an auth-token to the client. This is supposed to be used for reneg purposes as the original password is now invalid.
When auth-nocache is specified, the auth-token is purged.
When an auth-token is provided via a push to the client, the auth-token should not be purged - regardless of the auth-nocache option.
Management clients like NetworkManager? set auth-nocache with no way to change this. NM will resend the OTP via the management interface when authentication is required for a reneg to occur.
Attachments (1)
Change History (5)
Changed 7 years ago by
| Attachment: | 0001-management-preserve-wait_for_push-field-when-asking-.patch added |
|---|
comment:1 Changed 7 years ago by
comment:2 Changed 7 years ago by
I can confirm that this patch fixes the issue.
Kudos to dazo and ordex.
comment:3 Changed 7 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Applied to git master and release/2.4
commit 3322c558fa742cb823fa919f682486973abc4f8e master
commit e7ae4040efc5c48e00374f8863da58eef32e0709 release/2.4
Author: Antonio Quartulli <a@...>
Date: Fri Jul 7 22:01:08 2017 +0800
management: preserve wait_for_push field when asking for user/pass
With the introduction of the wait_for_push field in the auth_user_pass
structure, we have to make sure that such field is not accidentally
erased when the management asks the user for user/pass.
Erasing such field would mess up the logic introduced by
("Ignore auth-nocache for auth-user-pass if auth-token is pushed").
Thanks to David Sommerseth for the preliminary analysis and debugging.
Reported-by: Steven Haigh <netwiz@...>
Signed-off-by: Antonio Quartulli <a@...>
Tested-by: Steven Haigh <netwiz@...>
Acked-by: David Sommerseth <davids@...>
Message-Id: <20170707140108.31612-1-a@...>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html
Signed-off-by: David Sommerseth <davids@...>
comment:4 Changed 7 years ago by
| Milestone: | release 2.4.3 → release 2.4.4 |
|---|
Note: See
TracTickets for help on using
tickets.
Steven,
I may have found the problematic code. Apparently the management code was wiping all the auth_user_pass attributes, thus messing up with the auth-nocache+token logic we modified not so much time ago.
The attached patch should fix the problem.
If you want, you find master+this_patch at the following URL for you to clone:
https://github.com/ordex/openvpn/tree/management-auth-user-pass
It would nice if you could test this code and let us know if it solves the issue or not.
Thanks!