From ea545a0e8c25858f4cd165f5981ea74b654d9e92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Sat, 16 Mar 2024 14:56:31 +0100 Subject: [PATCH 1/2] [PATCH] Introduce `external-auth` flag to make client-side authentication methods optional --- doc/man-sections/client-options.rst | 17 +++++++++++++++++ src/openvpn/options.c | 12 +++++++++--- src/openvpn/options.h | 1 + 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index b75fe5bdbad..2a337d33efe 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -87,6 +87,23 @@ configuration. The server configuration must specify an ``--auth-user-pass-verify`` script to verify the username/password provided by the client. +--external-auth + This client-only option indicates that user authentication options in the + client configuration are not mandatory. For security reasons, OpenVPN + requires client-side credentials such as client certificates or a + username/password combination. The OpenVPN server has the capability to + delegate authentication to external systems using the WEBAUTH protocol. + In such cases, client credentials may be omitted. + + ***Security Considerations*** + + When the ``--external-auth`` option is enabled in OpenVPN, it bypasses the + check that some form of user authentication method is specified. This + configuration can potentially create a risky environment where an OpenVPN + server operates without requiring authentication. If you opt to utilize + ``--external-auth``, it's crucial to thoroughly validate that the OpenVPN + server has been adequately secured. + --auth-retry type Controls how OpenVPN responds to username/password verification errors such as the client-side response to an :code:`AUTH_FAILED` message from diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 94a88f949d6..90f38b0b85d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -499,6 +499,7 @@ static const char usage_message[] = " and a password on the second. If either the password or both\n" " the username and the password are omitted OpenVPN will prompt\n" " for them from console.\n" + "--external-auth : If set, client-side credentials are optional.\n" "--pull : Accept certain config file options from the peer as if they\n" " were part of the local config file. Must be specified\n" " when connecting to a '--mode server' remote host.\n" @@ -3004,12 +3005,12 @@ options_postprocess_verify_ce(const struct options *options, if (sum == 0) { - if (!options->auth_user_pass_file) + if (!options->auth_user_pass_file && !options->external_auth) { msg(M_USAGE, "No client-side authentication method is " "specified. You must use either " - "--cert/--key, --pkcs12, or " - "--auth-user-pass"); + "--cert/--key, --pkcs12, " + "--auth-user-pass, or --external-auth"); } } else if (sum != 2) @@ -7917,6 +7918,11 @@ add_option(struct options *options, options->auth_user_pass_file = "stdin"; } } + else if (streq(p[0], "external-auth") && !p[1]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->external_auth = true; + } else if (streq(p[0], "auth-retry") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 2b37d1fc449..515462aafb6 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -542,6 +542,7 @@ struct options const char *auth_user_pass_file; bool auth_user_pass_file_inline; struct options_pre_connect *pre_connect; + bool external_auth; int scheduled_exit_interval; From 2618ce5ed616482d1612d613744001ed7366a412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Sun, 24 Mar 2024 18:52:26 +0100 Subject: [PATCH 2/2] [PATCH] Introduce `no-client-credential` flag to make client-side authentication methods optional --- doc/man-sections/client-options.rst | 6 +++--- src/openvpn/options.c | 10 +++++----- src/openvpn/options.h | 2 +- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index 2a337d33efe..448ea98f1d2 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -87,7 +87,7 @@ configuration. The server configuration must specify an ``--auth-user-pass-verify`` script to verify the username/password provided by the client. ---external-auth +--no-client-credential This client-only option indicates that user authentication options in the client configuration are not mandatory. For security reasons, OpenVPN requires client-side credentials such as client certificates or a @@ -97,11 +97,11 @@ configuration. ***Security Considerations*** - When the ``--external-auth`` option is enabled in OpenVPN, it bypasses the + When the ``--no-client-credential`` option is enabled in OpenVPN, it bypasses the check that some form of user authentication method is specified. This configuration can potentially create a risky environment where an OpenVPN server operates without requiring authentication. If you opt to utilize - ``--external-auth``, it's crucial to thoroughly validate that the OpenVPN + ``--no-client-credential``, it's crucial to thoroughly validate that the OpenVPN server has been adequately secured. --auth-retry type diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 90f38b0b85d..e0ed0db98c6 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -499,7 +499,7 @@ static const char usage_message[] = " and a password on the second. If either the password or both\n" " the username and the password are omitted OpenVPN will prompt\n" " for them from console.\n" - "--external-auth : If set, client-side credentials are optional.\n" + "--no-client-credential : If set, client-side credentials are optional.\n" "--pull : Accept certain config file options from the peer as if they\n" " were part of the local config file. Must be specified\n" " when connecting to a '--mode server' remote host.\n" @@ -3005,12 +3005,12 @@ options_postprocess_verify_ce(const struct options *options, if (sum == 0) { - if (!options->auth_user_pass_file && !options->external_auth) + if (!options->auth_user_pass_file && !options->no_client_credential) { msg(M_USAGE, "No client-side authentication method is " "specified. You must use either " "--cert/--key, --pkcs12, " - "--auth-user-pass, or --external-auth"); + "--auth-user-pass, or --no-client-credential"); } } else if (sum != 2) @@ -7918,10 +7918,10 @@ add_option(struct options *options, options->auth_user_pass_file = "stdin"; } } - else if (streq(p[0], "external-auth") && !p[1]) + else if (streq(p[0], "no-client-credential") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); - options->external_auth = true; + options->no_client_credential = true; } else if (streq(p[0], "auth-retry") && p[1] && !p[2]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 515462aafb6..45f085b27b0 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -542,7 +542,7 @@ struct options const char *auth_user_pass_file; bool auth_user_pass_file_inline; struct options_pre_connect *pre_connect; - bool external_auth; + bool no_client_credential; int scheduled_exit_interval;