Be more explicit that --auth-gen-token is to be considered a workaround for authentication scripts/plug-ins not supporting --auth-token.
Also be more explicit that invalidated --auth-token values will result in the client disconnecting. Signed-off-by: David Sommerseth <dav...@openvpn.net> --- doc/openvpn.8 | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 4114f408..b6de2c9c 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -3671,10 +3671,25 @@ argument defines how long the generated token is valid. The lifetime is defined in seconds. If lifetime is not set or it is set to 0, the token will never expire. -This feature is useful for environments which is configured -to use One Time Passwords (OTP) as part of the user/password -authentications and that authentication mechanism does not -implement any auth\-token support. +.B PLEASE NOTE: +The +.B \-\-auth\-gen\-token +feature is to be considered a workaround for authentication +scripts or plug\-ins not providing proper +.B auth\-token +support. The +.B auth\-token +feature is most commonly needed when deploying two factor +authentications, such as One Time Password (OTP) based +authentication. Proper authentication scripts/plug\-ins should +implement support for generating, sending and verifying +.B auth\-token +values sent to successfully authenticated clients, and particularly +when OTP authentication is required. + +See also +.B \-\-auth\-token +for more details. .\"********************************************************* .TP .B \-\-opt\-verify @@ -5291,6 +5306,15 @@ OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides a possibility to replace the clients password with an authentication token during the lifetime of the OpenVPN client. +.B BEWARE: +Clients which has received an +.B auth\-token +will be using this value as the password on each renegotiation and +reconnection to the server until it stops running. If the server +has invalidated the +.B auth\-token +since the last authentication, the client will be disconnected. + Whenever the connection is renegotiated and the .B \-\-auth\-user\-pass\-verify script or -- 2.16.2 ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
