Agreed, and there are probably other reasons it is set to common_name such as using the duo plugin for MFA when you are not using user/password as an authentication mechanism and need to use common_name as a username with duo
> On Aug 4, 2016, at 10:31 AM, Joe Patterson <j.m.patter...@gmail.com> wrote: > > Let me second the suggestion to make it configurable. I don't know much > about duo, but ages ago I modified the PAM plugin to be able to do the > opposite: use the common name as the username for PAM. The reason being, > that without something to tie usernames to common names, an attacker only > needs to know/steal/guess any valid username/password and any valid > certificate, which should be harder to do than knowing/stealing/guessing a > *particular* user's password. > > -Joe > > On Thu, Aug 4, 2016 at 12:46 PM Selva Nair <selva.n...@gmail.com > <mailto:selva.n...@gmail.com>> wrote: > On Thu, Aug 4, 2016 at 11:50 AM, Michael Hicks <michaelhick...@gmail.com > <mailto:michaelhick...@gmail.com>> wrote: > I guess I’ll submit a documentation bug to alter the description in the docs > for "username-as-common-name” to more clearly illustrate this. Maybe just > changing "For --auth-user-pass-verify authentication...” to "After > --auth-user-pass-verify authentication…” and a note about this affecting the > client-(dis)connect and client-config-dir options. > > Yes the documentation is poorly worded and could be improved. I think the > reference to auth-user-pass-verify itself is confusing as one could instead > use management-client-auth to authenticate users. A description that says > this option replaces the common-name by the "authenticated username" without > any reference to auth-user-pass-verify may be better. As you wrote, > clarifying that this affects ccd etc. is also useful. > > > I modified the duo plugin source to use username instead of common_name and > it works as I expect. I’ll also submit a pull request against the > duo_openvpn plugin source to get that changed upstream and see where it goes. > > More likely to get accepted if you make that configurable --- say adding an > optional arg to the plugin to indicate username should be taken from > getenv("username",..) instead of getenv("common-name",..) so that existing > use cases are not affected. That said, I think that plugin could be further > improved using the static challenge feature openvpn so that the usual > username/password auth can work along with Duo. > > Selva > ------------------------------------------------------------------------------ > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > <mailto:Openvpn-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/openvpn-users > <https://lists.sourceforge.net/lists/listinfo/openvpn-users> > ------------------------------------------------------------------------------ > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users
------------------------------------------------------------------------------
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
