diff options
author | Gert Doering | 2020-07-15 11:01:05 +0200 |
---|---|---|
committer | Gert Doering | 2020-07-15 19:50:16 +0200 |
commit | c83b197a72a6f909a4ddcded027469f0da5d4a24 (patch) | |
tree | c36c26f739498dc30b30cb4a3ca265c23783e058 /doc/man-sections/server-options.rst | |
parent | 90ed0fd2df37441dd6fc368ece006e4dd49093e9 (diff) | |
download | openvpn-c83b197a72a6f909a4ddcded027469f0da5d4a24.zip openvpn-c83b197a72a6f909a4ddcded027469f0da5d4a24.tar.gz |
Add deferred authentication support to plugin-auth-pam
If OpenVPN signals deferred authentication support (by setting
the internal environment variables "auth_control_file" and
"deferred_auth_pam"), do not wait for PAM stack to finish. Instead,
the privileged PAM process returns RESPONSE_DEFER via the control
socket, which gets turned into OPENVPN_PLUGIN_FUNC_DEFERRED towards
openvpn.
The PAM process will then fork() and handle all the PAM auth in
the new process, signalling success/failure back by means of the
auth_control_file (forking twice, to simplify wait() handling).
With the extra fork(), multiple deferred authentications can run at
the same time - otherwise the first one would block the next auth
call (because the child would not be ready again to read from the
control socket).
Lightly tested on Linux.
Signed-off-by: Gert Doering <gert@greenie.muc.de>
--
v2:
- only do deferred auth if "deferred_auth_pam" is set (env)
- put deferred auth logic into do_deferred_pam_auth()
- line-wrap lines where needed
- close "background end" of socketpair in deferred auth process
- remove leftover /* plugin_log() */ lines from initial testing
- tested over a few hundred "15s delayed" authentication cycles
v3:
- uncrustify new code
- do not abort background process if do_deferred_pam_auth() fails
(this can only happen if fork() fails, which is assumed to be
temporary, or if something is wrong with the socketpair which we
should notice on the next read()) --> change do_deferred_pam_auth()
to "void"
- add documentation to README.auth-pam and Changes.rst
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <20200715090105.22296-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20361.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'doc/man-sections/server-options.rst')
0 files changed, 0 insertions, 0 deletions