On 22/01/2019 16:03, Arne Schwabe wrote: > From: Arne Schwabe <a...@openvpn.net> > > This allows an external authentication method > (e.g. management interface) to track the connection and distinguish a > reconnection from multiple connections. > > Addtionally this now also checks to workaround a problem with > OpenVPN 3 core that sometimes uses a username hint from the config > instead of using an empty username if the token would be valid > with an empty username. Accepting such token can only be explicitly > done if the auth keyword to auth-gen-token is present. Meh .... I'm not sure about this feature at all. I understand the use case for it, but I don't see the full benefit of it. Why? Because if you still want to do partially authentication based on and existing auth-token, why can't you implement the full auth-token pushing in the auth-backend?
And with the trap that incorrectly implementing the "auth" mode, where it would actually by default accept invalid tokens is a no-go from a security perspective. The background for --auth-gen-token was primarily to make life easier for users using auth-backends NOT supporting auth-tokens and who had issues with tunnel renegotiations. Extending --auth-gen-token with a secret so it can handle server-side restarts without breaking already authenticated clients is a nice feature. Even the possibility to share this secret among multiple servers providing connection migrations without authentication breakage are all good features. But pushing this towards a new level where token expiry/validity checks is still pushed towards an external authentication module I find stretching this feature a bit too much. And in particular if the auth backend is not tackling invalidated tokens correctly results in authentication success. In this case, why can't the auth backend do everything? -- kind regards, David Sommerseth OpenVPN Inc _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
