Hi On Mon, Jul 4, 2022 at 5:50 AM Arne Schwabe <a...@rfc2549.org> wrote:
> Am 04.07.22 um 04:58 schrieb selva.n...@gmail.com: > > From: Selva Nair <selva.n...@gmail.com> > > > > When auth-token verify succeeds during a reauth, other auth > > methods (plugin, script, management) are skipped unless > > external-auth is in effect (skip_auth gets set to true). > > > > However, in this case, the status of management-def-auth > > (ks->mda_satus) stays at its default value of ACF_PENDING > > ks->mda_status > > > and will never change. This causes TLS keys to go out of sync > > and an eventual client disconnect. > > > > Further, a message saying username/password authentication is > > "deferred" gets logged which is misleading. > > For example: > > > > test/127.0.0.1:35874 TLS: Username/auth-token authentication > > succeeded for username 'test' > > > > followed by > > > > test/127.0.0.1:35874 TLS: Username/Password authentication > > deferred for username 'test' [CN SET] > > > > Fix by setting ks->mda_status to ACF_DISABLED, and do not > > set ks->authenticated = KS_AUTH_DEFERRED when skip_auth is true. > > > > Also log a warning message when token is marked as expired on > > missing the reneg window. > > > > Reported by: Connor Edwards <connor.edwa...@b2c2.com> > > > > Acked-By: Arne Schwabe <a...@rfc2549.org> > > Note that you need have management enabled for this bug to trigger. If > you go through all the effort to talk to management like this, you > probably want to use external-auth anyway. > I agree. This kind of fiddling with flags like mda_status is not clean and easy to break again. I use management-def-auth but do not use auth-gen-token -- instead the management script keeps track of reauth, lifetime of 2FA etc. If I were to "modernize" that setup I would use auth-gen-token with external-auth as well. That said, for 2.5, an easy fix like this is good enough? Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
