On Wed, Oct 19, 2022 at 1:05 AM Arne Schwabe <a...@rfc2549.org> wrote:
> > > If we can conjure up usernames (like with empty --> token-user) why not > allow other username > changes too? > > In general the current authentication system in OpenVPN is ill equipped to > handle them. On renegotiation we only do auth but no read in ccd or other > other user specific data. So allowing a username change could in many > instances give the new user the permissions/IP etc of the old user. There > can be situations where this is okay and we can add options or auth results > that explicitly allow. In general a username change probably leads > authorisation problems. For the auth-token-user the idea there is that you > get a username on the first auth assigned that you should use in the future > but no actual user change. > That makes a lot of sense. Even I have setups where what is pushed to the client depends on the username in addition to the commonname. This has implications when we have interactively authenticated, but long running connections which multiple users may be able to use though it will appear to be associated with one user from the server's pov (so-called Persistent connections in Windows GUI). Same with PLAP. Requiring a new tunnel on user name change alleviates this a bit, but still there will be a duration until next reauth or token expiry when userA is using a tunnel started by userB. Instead of wading into an OT discussion, I will raise this issue elsewhere / a new thread Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
