diff options
author | Arne Schwabe | 2023-03-01 14:53:53 +0100 |
---|---|---|
committer | Gert Doering | 2023-03-20 17:25:37 +0100 |
commit | da083c3b9bc1b5720a4dcbef9c32bbbbec0dcce6 (patch) | |
tree | 66925a7aaa4683430a80e31fbf52014397c015f5 /doc | |
parent | 31279f71ab4124516fd0c2143f67a0c3f008ad20 (diff) | |
download | openvpn-da083c3b9bc1b5720a4dcbef9c32bbbbec0dcce6.zip openvpn-da083c3b9bc1b5720a4dcbef9c32bbbbec0dcce6.tar.gz |
Make sending plain text control message session aware
The control messages coming from auth pending should always be on the
session that triggered them (i.e. INITIAL or ACTIVE) and not always on the
active session. Rework the code path that trigger those messsages from
management and plugin/script to specify the TLS session.
We only support the two TLS sessions that are supposed to be active. TLS
sessions in any lame slot (TM_LAME or KS_LAME) are not considered to be
candidates for sending messages as these slots only serve to keep key
material around.
Unfortunately, this fix requires the management interface to be changed
to allow including the specific session the messages should to go to. As
there are very few users of this interface with auth-pending, I made this
a hard change instead of adding hacky workaround code that is not always
working correctly anyway.
send_control_channel_string() will continue to only use the primary session
and key but the current users of that (push replys and exit notification)
already require the established session to be the active one, so there
no changes needed at the moment.
Github: fixes OpenVPN/openvpn#256
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230301135353.2811069-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26320.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit a261e173341f8e68505a6ab5a413d09b0797a459)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/management-notes.txt | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 34f301d..b9947fa 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -613,10 +613,10 @@ COMMAND -- client-pending-auth (OpenVPN 2.5 or higher) Instruct OpenVPN server to send AUTH_PENDING and INFO_PRE message to signal a pending authenticating to the client. A pending auth means -that the connecting requires extra authentication like a one time +that connecting requires extra authentication like a one time password or doing a single sign on via web. - client-pending-auth {CID} {EXTRA} {TIMEOUT} + client-pending-auth {CID} {KID} {EXTRA} {TIMEOUT} The server will send AUTH_PENDING and INFO_PRE,{EXTRA} to the client. If the client supports accepting keywords to AUTH_PENDING (announced via IV_PROTO), @@ -639,11 +639,16 @@ Both client and server limit the maximum timeout to the smaller value of half th For the format of {EXTRA} see below. For OpenVPN server this is a stateless operation and needs to be followed by a client-deny/client-auth[-nt] command -(that is the result of the out of band authentication). +(that is the result of the out-of-band authentication). + +Note that the {KID} argument has been added in management version 5 +to specify the pending client key the authentication belongs to. +This ensures that the pending auth message is tied strictly to the +authentication session. Before issuing a client-pending-auth to a client instead of a client-auth/client-deny, the server should check the IV_SSO -environment variable for whether the method is supported. Currently +environment variable for whether the method is supported. Currently, defined methods are crtext for challenge/response using text (e.g., TOTP), openurl (deprecated) and webauth for opening a URL in the client to continue authentication. A client supporting webauth and |