Hi all, On 11/10/2018 00:30, Arne Schwabe wrote: > Auth-tokens can expire. For by reconnecting when the server uses > auth-gen-toke. >
The sentence above should be adjusted a bit before the patch is merged. > Behaviour of OpenVPN client is to never fallback to the previous > authentication method and continue using the auth-token. Depending on > auth-retry it either quit or tried endlessly with an expired > token. Since auth-gen-token tokens expire on reconnect, a client will > not survive a reconnect. > > This patches changes the behaviour on failed auth when using an > auth-token as a soft error (USR1) and clean the auth-token falling > back to the original auth method. > > Patch V2: properly formatted commit message, fix openvpn3 detection > > Patch V3: remove all server changes, include only minimal non > intrusive client changes that only improve error recovery but don't > change overall behaviour. > > Patch V4: forget add push.c to git index, now also included > > Signed-off-by: Arne Schwabe <a...@rfc2549.org> The patch does what it says and it nicely separates where the "password" and the "token" are stored. This has the advantage of making the code slightly easier to follow. I performed a simple test with a server and a client configured for using auth-gen-token: - client connected to the server - authentication with user/pass is successful and I see the token being pushed - server is restarted - client waits its ping timeout and then softly restarts - client fails with AUTH_FAILED: Fri Dec 7 17:03:08 2018 us=203818 AUTH: Received control message: AUTH_FAILED Fri Dec 7 17:03:08 2018 us=204210 TCP/UDP: Closing socket Fri Dec 7 17:03:08 2018 us=204322 SIGUSR1[soft,auth-failure (auth-token)] received, process restarting Fri Dec 7 17:03:08 2018 us=204391 Restart pause, 5 second(s) - client softly reconnects - authentication is successful with user/pass again and a new token is pushed. Acked-by: Antonio Quartulli <anto...@openvpn.net> -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
