Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PATCH] make client-side authentication methods optional #513

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions doc/man-sections/client-options.rst
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,23 @@ configuration.
The server configuration must specify an ``--auth-user-pass-verify``
script to verify the username/password provided by the client.

--external-auth
This client-only option indicates that user authentication options in the
client configuration are not mandatory. For security reasons, OpenVPN
requires client-side credentials such as client certificates or a
username/password combination. The OpenVPN server has the capability to
delegate authentication to external systems using the WEBAUTH protocol.
In such cases, client credentials may be omitted.

***Security Considerations***

When the ``--external-auth`` option is enabled in OpenVPN, it bypasses the
check that some form of user authentication method is specified. This
configuration can potentially create a risky environment where an OpenVPN
server operates without requiring authentication. If you opt to utilize
``--external-auth``, it's crucial to thoroughly validate that the OpenVPN
server has been adequately secured.

--auth-retry type
Controls how OpenVPN responds to username/password verification errors
such as the client-side response to an :code:`AUTH_FAILED` message from
Expand Down
12 changes: 9 additions & 3 deletions src/openvpn/options.c
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,7 @@ static const char usage_message[] =
" and a password on the second. If either the password or both\n"
" the username and the password are omitted OpenVPN will prompt\n"
" for them from console.\n"
"--external-auth : If set, client-side credentials are optional.\n"
"--pull : Accept certain config file options from the peer as if they\n"
" were part of the local config file. Must be specified\n"
" when connecting to a '--mode server' remote host.\n"
Expand Down Expand Up @@ -3004,12 +3005,12 @@ options_postprocess_verify_ce(const struct options *options,

if (sum == 0)
{
if (!options->auth_user_pass_file)
if (!options->auth_user_pass_file && !options->external_auth)
{
msg(M_USAGE, "No client-side authentication method is "
"specified. You must use either "
"--cert/--key, --pkcs12, or "
"--auth-user-pass");
"--cert/--key, --pkcs12, "
"--auth-user-pass, or --external-auth");
}
}
else if (sum != 2)
Expand Down Expand Up @@ -7917,6 +7918,11 @@ add_option(struct options *options,
options->auth_user_pass_file = "stdin";
}
}
else if (streq(p[0], "external-auth") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
options->external_auth = true;
}
else if (streq(p[0], "auth-retry") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
Expand Down
1 change: 1 addition & 0 deletions src/openvpn/options.h
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,7 @@ struct options
const char *auth_user_pass_file;
bool auth_user_pass_file_inline;
struct options_pre_connect *pre_connect;
bool external_auth;

int scheduled_exit_interval;

Expand Down