On Thu, Aug 4, 2016 at 11:50 AM, Michael Hicks <michaelhick...@gmail.com>
wrote:
> I guess I’ll submit a documentation bug to alter the description in the
> docs for "username-as-common-name” to more clearly illustrate this. Maybe
> just changing "For --auth-user-pass-verify authentication...” to
> "After --auth-user-pass-verify authentication…” and a note about this
> affecting the client-(dis)connect and client-config-dir options.
>
Yes the documentation is poorly worded and could be improved. I think the
reference to auth-user-pass-verify itself is confusing as one could instead
use management-client-auth to authenticate users. A description that says
this option replaces the common-name by the "authenticated username"
without any reference to auth-user-pass-verify may be better. As you wrote,
clarifying that this affects ccd etc. is also useful.
> I modified the duo plugin source to use username instead of common_name
> and it works as I expect. I’ll also submit a pull request against the
> duo_openvpn plugin source to get that changed upstream and see where it
> goes.
>
More likely to get accepted if you make that configurable --- say adding an
optional arg to the plugin to indicate username should be taken from
getenv("username",..) instead of getenv("common-name",..) so that existing
use cases are not affected. That said, I think that plugin could be further
improved using the static challenge feature openvpn so that the usual
username/password auth can work along with Duo.
Selva
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
