Skip to content

Commit

Permalink
[PATCH] Introduce external-auth flag to make client-side authentica…
Browse files Browse the repository at this point in the history
…tion methods optional
  • Loading branch information
jkroepke committed Mar 16, 2024
1 parent 91eb460 commit 4c70e70
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 3 deletions.
14 changes: 14 additions & 0 deletions doc/man-sections/client-options.rst
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,20 @@ configuration.
The server configuration must specify an ``--auth-user-pass-verify``
script to verify the username/password provided by the client.

--external-auth
For security reasons, OpenVPN requires client-side credentials such as
client certificates or a username/password combination. The OpenVPN server
has the capability to delegate authentication to external systems using the
WEBAUTH protocol. In such cases, client credentials may be omitted.

***Security Considerations***

When the ``--external-auth`` option is enabled in OpenVPN, it bypasses the
standard authentication checks. This configuration can potentially create a
risky environment where an OpenVPN server operates without requiring
authentication. If you opt to utilize ``--external-auth``, it's crucial to
thoroughly validate that the OpenVPN server has been adequately secured.

--auth-retry type
Controls how OpenVPN responds to username/password verification errors
such as the client-side response to an :code:`AUTH_FAILED` message from
Expand Down
12 changes: 9 additions & 3 deletions src/openvpn/options.c
Original file line number Diff line number Diff line change
Expand Up @@ -499,6 +499,7 @@ static const char usage_message[] =
" and a password on the second. If either the password or both\n"
" the username and the password are omitted OpenVPN will prompt\n"
" for them from console.\n"
"--external-auth : If set, client-side credentials may be provided optionally.\n"
"--pull : Accept certain config file options from the peer as if they\n"
" were part of the local config file. Must be specified\n"
" when connecting to a '--mode server' remote host.\n"
Expand Down Expand Up @@ -3004,12 +3005,12 @@ options_postprocess_verify_ce(const struct options *options,

if (sum == 0)
{
if (!options->auth_user_pass_file)
if (!options->auth_user_pass_file && !options->external_auth)
{
msg(M_USAGE, "No client-side authentication method is "
"specified. You must use either "
"--cert/--key, --pkcs12, or "
"--auth-user-pass");
"--cert/--key, --pkcs12, "
"--auth-user-pass, or --external-auth");
}
}
else if (sum != 2)
Expand Down Expand Up @@ -7917,6 +7918,11 @@ add_option(struct options *options,
options->auth_user_pass_file = "stdin";
}
}
else if (streq(p[0], "external-auth") && !p[1])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
options->external_auth = true;
}
else if (streq(p[0], "auth-retry") && p[1] && !p[2])
{
VERIFY_PERMISSION(OPT_P_GENERAL);
Expand Down
1 change: 1 addition & 0 deletions src/openvpn/options.h
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,7 @@ struct options
const char *auth_user_pass_file;
bool auth_user_pass_file_inline;
struct options_pre_connect *pre_connect;
bool external_auth;

int scheduled_exit_interval;

Expand Down

0 comments on commit 4c70e70

Please sign in to comment.