Comments (6)
This sounds like the wrong approach to me.
OpenVPN 2.6 and OpenVPN 3 Linux should support more ways of deferred authentication. The client can get an "authentication failure" with a request for further authentication; known as the dynamic challenge protocol. I don't have a perfect example to provide, but I believe it should be possible to test and build a test case out of the sample/sample-scripts/totpauth.py example.
So if the plug-in you use could be extended to support this approach, this should be possible to be done without modifying OpenVPN at all.
from openvpn3-linux.
@dsommers AFAICS the scripts are called after common_name is set, i.e. username has already been retrieved.
from openvpn3-linux.
@andreas-p you are mixing here some short coming of the OpenVPN server impelmentation with the protocol itself. The protoocl itself will already use empty user and empty password to indicate that no user/password has been provided.
I am not sure what providing some random username/password will accomplish here that gets ignored on the server anyway. And providing null data is just what the protocol already does when you do not have the auth-user-pass
option in your config.
@andreas-p common_name is not the same as username. common name comes from the certificate. There is an option username-as-common-name
for OpenVPN 2.x but these two are two different things.
from openvpn3-linux.
@schwabe With "protocol" mentioned in the first post I meant not the OpenVPN-Protocol itself, but the user/passwd handling of openvpn3 itself.
To make my statement more precise:
I believe that deferred auth (from scripts or webauthn or so) is always performed after any normal auth, certificate and/or username/password, right? Which means I can't suppress the password by script.
from openvpn3-linux.
Yeah you have to precoinfigure if you want to ask username/password or not by adding or not adding auth-user-pass
in the client config. I am not sure what problem you are trying to solve here on the client side.
from openvpn3-linux.
So just to conclude here.
- The
auth-user-pass
option in the client configuration will request the client to ask for user credentials before connecting. This option may not be needed in all configurations - When the client connects to the server, the first part of the authentication is the client certificate. Username/password/2FA credentials are checked after certificate checks. Unless client certificates checks are disabled (server side configuration, see the
--verify-client-cert
option in the man page for details). Client configuration does not need to have certificate/key configured. - The server side may in addition reject a connection from being established, if authentication did not pass. The server may send a request back to the client to provide a specific credential.
- How the server side responds in the "authenticate username/password" phase when this information is missing is entirely up to the authentication script or plug-in. OpenVPN itself does not do anything in regards to the authentication itself, it passes the credentials to the script/plug-in and responds to the OpenVPN client based on the result of the script/plug-in.
Is something unclear here?
I'm converting this issue to a discussion, as this does not look like an issue OpenVPN 3 Linux need to solve programmatically.
from openvpn3-linux.
Related Issues (20)
- Provided script for connector installation failed HOT 1
- OpenVPN3 v21, U 23.10 and CloudConnexa DIVE HOT 1
- Failed to start session with CloudConnexa on Fedora Linux HOT 3
- D-Bus API: requests for improvements HOT 3
- OpenVPN3 doesn't set back previous DNS after disconnect using systemd-resolved in stub mode HOT 1
- Support Synology DSM? HOT 2
- Can't access sites via domain only via ip
- <connection> profiles are non-functional + unkown/unsupported option details are lacking HOT 11
- Error after ArchLinux upgrade HOT 1
- Add support for resolvconf interface HOT 1
- Support for ubuntu 24.04 HOT 10
- How to check the encryption protocol used when connecting to openvpn HOT 1
- openvpn3 config-import --persistent doesn't persist over reboot HOT 14
- Can't install openvpn3 (Fedora 37) HOT 2
- openvpn3 session-start using config file fails to start on first attempt, works on second attempt HOT 7
- Archlinux install fails - ConfigManager inaccesssible for test-suite on first install HOT 2
- Can't connect witt Sophos router with OpenVPN v 21. HOT 14
- Migrate to codeberg.org
- Unknown options: "python.bytecompile" HOT 6
- Support for OpenSuse Tumbleweed HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openvpn3-linux.