Let me second the suggestion to make it configurable.  I don't know much
about duo, but ages ago I modified the PAM plugin to be able to do the
opposite: use the common name as the username for PAM.  The reason being,
that without something to tie usernames to common names, an attacker only
needs to know/steal/guess any valid username/password and any valid
certificate, which should be harder to do than knowing/stealing/guessing a
*particular* user's password.

-Joe

On Thu, Aug 4, 2016 at 12:46 PM Selva Nair <selva.n...@gmail.com> wrote:

> On Thu, Aug 4, 2016 at 11:50 AM, Michael Hicks <michaelhick...@gmail.com>
> wrote:
>
>> I guess I’ll submit a documentation bug to alter the description in the
>> docs for "username-as-common-name” to more clearly illustrate this.  Maybe
>> just changing "For --auth-user-pass-verify authentication...” to
>> "After --auth-user-pass-verify authentication…” and a note about this
>> affecting the client-(dis)connect and client-config-dir options.
>>
>
> Yes the documentation is poorly worded and could be improved. I think the
> reference to auth-user-pass-verify itself is confusing as one could instead
> use management-client-auth to authenticate users. A description that says
> this option replaces the common-name by the "authenticated username"
> without any reference to auth-user-pass-verify may be better. As you wrote,
> clarifying that this affects ccd etc. is also useful.
>
>
>> I modified the duo plugin source to use username instead of common_name
>> and it works as I expect.  I’ll also submit a pull request against the
>> duo_openvpn plugin source to get that changed upstream and see where it
>> goes.
>>
>
> More likely to get accepted if you make that configurable --- say adding
> an optional arg  to the plugin to indicate username should be taken from
> getenv("username",..) instead of getenv("common-name",..) so that existing
> use cases are not affected. That said, I think that plugin could be further
> improved using the static challenge feature openvpn so that the usual
> username/password auth can work along with Duo.
>
> Selva
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
------------------------------------------------------------------------------
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to