Let me second the suggestion to make it configurable. I don't know much about duo, but ages ago I modified the PAM plugin to be able to do the opposite: use the common name as the username for PAM. The reason being, that without something to tie usernames to common names, an attacker only needs to know/steal/guess any valid username/password and any valid certificate, which should be harder to do than knowing/stealing/guessing a *particular* user's password.
-Joe On Thu, Aug 4, 2016 at 12:46 PM Selva Nair <selva.n...@gmail.com> wrote: > On Thu, Aug 4, 2016 at 11:50 AM, Michael Hicks <michaelhick...@gmail.com> > wrote: > >> I guess I’ll submit a documentation bug to alter the description in the >> docs for "username-as-common-name” to more clearly illustrate this. Maybe >> just changing "For --auth-user-pass-verify authentication...” to >> "After --auth-user-pass-verify authentication…” and a note about this >> affecting the client-(dis)connect and client-config-dir options. >> > > Yes the documentation is poorly worded and could be improved. I think the > reference to auth-user-pass-verify itself is confusing as one could instead > use management-client-auth to authenticate users. A description that says > this option replaces the common-name by the "authenticated username" > without any reference to auth-user-pass-verify may be better. As you wrote, > clarifying that this affects ccd etc. is also useful. > > >> I modified the duo plugin source to use username instead of common_name >> and it works as I expect. I’ll also submit a pull request against the >> duo_openvpn plugin source to get that changed upstream and see where it >> goes. >> > > More likely to get accepted if you make that configurable --- say adding > an optional arg to the plugin to indicate username should be taken from > getenv("username",..) instead of getenv("common-name",..) so that existing > use cases are not affected. That said, I think that plugin could be further > improved using the static challenge feature openvpn so that the usual > username/password auth can work along with Duo. > > Selva > > ------------------------------------------------------------------------------ > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users >
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users