#904 closed Bug / Defect (fixed)
auth-tokens are purged if auth-nocache is set
Reported by: | crcinau | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | release 2.4.4 |
Component: | Management | Version: | OpenVPN 2.4.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
When attempting to connect using a One Time Password, it is supported that the server pushes an auth-token to the client. This is supposed to be used for reneg purposes as the original password is now invalid.
When auth-nocache is specified, the auth-token is purged.
When an auth-token is provided via a push to the client, the auth-token should not be purged - regardless of the auth-nocache option.
Management clients like NetworkManager? set auth-nocache with no way to change this. NM will resend the OTP via the management interface when authentication is required for a reneg to occur.
Attachments (1)
Change History (5)
Changed 8 years ago by
Attachment: | 0001-management-preserve-wait_for_push-field-when-asking-.patch added |
---|
comment:1 Changed 8 years ago by
comment:2 Changed 8 years ago by
I can confirm that this patch fixes the issue.
Kudos to dazo and ordex.
comment:3 Changed 7 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Applied to git master and release/2.4
commit 3322c558fa742cb823fa919f682486973abc4f8e master commit e7ae4040efc5c48e00374f8863da58eef32e0709 release/2.4 Author: Antonio Quartulli <a@...> Date: Fri Jul 7 22:01:08 2017 +0800 management: preserve wait_for_push field when asking for user/pass With the introduction of the wait_for_push field in the auth_user_pass structure, we have to make sure that such field is not accidentally erased when the management asks the user for user/pass. Erasing such field would mess up the logic introduced by ("Ignore auth-nocache for auth-user-pass if auth-token is pushed"). Thanks to David Sommerseth for the preliminary analysis and debugging. Reported-by: Steven Haigh <netwiz@...> Signed-off-by: Antonio Quartulli <a@...> Tested-by: Steven Haigh <netwiz@...> Acked-by: David Sommerseth <davids@...> Message-Id: <20170707140108.31612-1-a@...> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html Signed-off-by: David Sommerseth <davids@...>
comment:4 Changed 7 years ago by
Milestone: | release 2.4.3 → release 2.4.4 |
---|
Steven,
I may have found the problematic code. Apparently the management code was wiping all the auth_user_pass attributes, thus messing up with the auth-nocache+token logic we modified not so much time ago.
The attached patch should fix the problem.
If you want, you find master+this_patch at the following URL for you to clone:
https://github.com/ordex/openvpn/tree/management-auth-user-pass
It would nice if you could test this code and let us know if it solves the issue or not.
Thanks!