Opened 16 months ago

Closed 15 months ago

Last modified 15 months ago

#904 closed Bug / Defect (fixed)

auth-tokens are purged if auth-nocache is set

Reported by: crcinau Owned by:
Priority: major Milestone: release 2.4.4
Component: Management Version: OpenVPN 2.4.2 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

When attempting to connect using a One Time Password, it is supported that the server pushes an auth-token to the client. This is supposed to be used for reneg purposes as the original password is now invalid.

When auth-nocache is specified, the auth-token is purged.

When an auth-token is provided via a push to the client, the auth-token should not be purged - regardless of the auth-nocache option.

Management clients like NetworkManager? set auth-nocache with no way to change this. NM will resend the OTP via the management interface when authentication is required for a reneg to occur.

Attachments (1)

0001-management-preserve-wait_for_push-field-when-asking-.patch (1.5 KB) - added by Antonio 16 months ago.

Download all attachments as: .zip

Change History (5)

comment:1 Changed 16 months ago by Antonio

Steven,
I may have found the problematic code. Apparently the management code was wiping all the auth_user_pass attributes, thus messing up with the auth-nocache+token logic we modified not so much time ago.

The attached patch should fix the problem.

If you want, you find master+this_patch at the following URL for you to clone:
https://github.com/ordex/openvpn/tree/management-auth-user-pass

It would nice if you could test this code and let us know if it solves the issue or not.

Thanks!

comment:2 Changed 16 months ago by crcinau

I can confirm that this patch fixes the issue.

Kudos to dazo and ordex.

comment:3 Changed 15 months ago by David Sommerseth

Resolution: fixed
Status: newclosed

Applied to git master and release/2.4

commit 3322c558fa742cb823fa919f682486973abc4f8e  master
commit e7ae4040efc5c48e00374f8863da58eef32e0709  release/2.4

Author: Antonio Quartulli <a@...>
Date:   Fri Jul 7 22:01:08 2017 +0800

    management: preserve wait_for_push field when asking for user/pass
    
    With the introduction of the wait_for_push field in the auth_user_pass
    structure, we have to make sure that such field is not accidentally
    erased when the management asks the user for user/pass.
    
    Erasing such field would mess up the logic introduced by
    ("Ignore auth-nocache for auth-user-pass if auth-token is pushed").
    
    Thanks to David Sommerseth for the preliminary analysis and debugging.
    
    Reported-by: Steven Haigh <netwiz@...>
    Signed-off-by: Antonio Quartulli <a@...>
    Tested-by: Steven Haigh <netwiz@...>
    Acked-by: David Sommerseth <davids@...>
    Message-Id: <20170707140108.31612-1-a@...>
    URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15015.html
    Signed-off-by: David Sommerseth <davids@...>

comment:4 Changed 15 months ago by David Sommerseth

Milestone: release 2.4.3release 2.4.4
Note: See TracTickets for help on using tickets.