Re: [Openvpn-users] disable "auth-nocache" by push?

Wed, 06 May 2020 12:42:26 -0700 

Hi,

On Mon, May 04, 2020 at 02:49:56PM +0200, Dajka Tamás wrote:
> is it possible to disable "auth-nocache" in the client by a PUSH message? I
> mean, if the "auth-nocache" is SET in the client.conf to "reenable"
> credentials caching. What's the logic behind? When we deployed the clients
> we did set 'auth-nocache' as a security measurement. However, we want to use
> auth-token now beside OTP, but changing all the clients will take some
> (unneeded) time.

To disagree with JJK once more, the current versions (2.4 and master)
will actually cache the auth-token even if auth-nocache is used.

There are some bugs lurking here which I've not had time to pinpoint
enough so Arne can fix them - so, "more testing" would certainly be
welcome.

What I've found:

 - if you restart the server, and "explicit-exit-notify" is enabled,
   this will twist a flag in the client, and it will keep on sending
   the *old* token, even if the server sends a renewed one.  So after
   the second reneg-sec interval, the token expires and you get AUTH_FAILED

 - if you use lifetime-limited tokens ("8h"), and that lifetime expires,
   the client needs to reauthenticated.  Which is the idea, so "good".  But
   in some cases, we've had AUTH_FAIL on the *next* renegotiation, which 
   hints at the same problem above ("auth-token not sticking").
 

> Secondly, is it allowed/possible to set "reneg-sec" by a PUSH message?
> (reneg-sec is not set currently in the client.conf, has the default value of
> 3600)

For questions like that, "just trying it" is harmless - a client will ignore
pushed options it doesn't like, and log it.

Checking the code, I can't say for sure.  It's a somewhat obscure class 
of config options group (OPT_P_TLS_PARMS) which I can't find clear indication
on whether those are pushable or not.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to