[Openvpn-devel] [RFC] - Enable 2FA to be used with renegotiations

2016-08-25 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I've been working a bit on a new patch-set which enables third-party user/password authentication mechanisms using two factor authentications [2FA] (such as OTP) and not needing to disable the renegotiation features of OpenVPN. Currently, if a s

Re: [Openvpn-devel] [RFC] - Enable 2FA to be used with renegotiations

2016-08-25 Thread David Woodhouse
On Thu, 2016-08-25 at 15:45 +0200, David Sommerseth wrote: > > > I've been working a bit on a new patch-set which enables third-party > user/password authentication mechanisms using two factor > authentications [2FA] (such as OTP) and not needing to disable the > renegotiation features of OpenVPN

Re: [Openvpn-devel] [RFC] - Enable 2FA to be used with renegotiations

2016-08-25 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/08/16 15:58, David Woodhouse wrote: > On Thu, 2016-08-25 at 15:45 +0200, David Sommerseth wrote: >> >> >> I've been working a bit on a new patch-set which enables >> third-party user/password authentication mechanisms using two >> factor authen

Re: [Openvpn-devel] [RFC] - Enable 2FA to be used with renegotiations

2016-08-25 Thread Selva Nair
On Thu, Aug 25, 2016 at 10:15 AM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > On 25/08/16 15:58, David Woodhouse wrote: > > On Thu, 2016-08-25 at 15:45 +0200, David Sommerseth wrote: > >> > >> > >> I've been working a bit on a new patch-set which enables > >> third-party user/pa

[Openvpn-devel] 2.3.12 vs git-master with cipher negotiation

2016-08-25 Thread debbie10t
Hi, this is an odd one that i am only reporting as it feels like something may have been over looked. 1. Start off running win10 server openvpn git-master 20160818 with --cipher AES-256-CBC defined Linux client running git:master/d1bd37fd508ee046 with --cipher AES-256-CBC defined Client connec

Re: [Openvpn-devel] [RFC] - Enable 2FA to be used with renegotiations

2016-08-25 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/08/16 16:32, Selva Nair wrote: > > On Thu, Aug 25, 2016 at 10:15 AM, David Sommerseth > > wrote: > > On 25/08/16 15:58, David Woodhouse wrote: >> On Thu, 2016-08-25 at 15:45 +0200, David Sommerseth wr

Re: [Openvpn-devel] [RFC] - Enable 2FA to be used with renegotiations

2016-08-25 Thread Selva Nair
On Thu, Aug 25, 2016 at 11:36 AM, David Sommerseth wrote: > > On 25/08/16 16:32, Selva Nair wrote: > > > > On Thu, Aug 25, 2016 at 10:15 AM, David Sommerseth > > > > wrote: > > > > On 25/08/16 15:58, David Woodhouse wrote: > >> On Thu, 2016-08-25 at 15:4

[Openvpn-devel] [PATCH] Document the --auth-token option

2016-08-25 Thread David Sommerseth
This isn't an option to be used directly in any configuration files, but to be used via --client-connect scripts or --plugin making use of OPENVPN_PLUGIN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2. Signed-off-by: David Sommerseth --- doc/openvpn.8 | 51 +++

Re: [Openvpn-devel] [RFC] - Enable 2FA to be used with renegotiations

2016-08-25 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 25/08/16 18:53, Selva Nair wrote: > As for caching, either the token will have to be cached unless > management is in use in which case the UI/GUI can remember the > token and supply it during reneg. Right, but I think we both agree that caching a

Re: [Openvpn-devel] [PATCH applied] Fix unittests for out-of-source builds

2016-08-25 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Your patch has been applied to the master branch. commit ee4f37c3533667aee87fd39ba131e80f3c1cfde7 Author: Steffan Karger Date: Mon Aug 15 20:02:36 2016 +0200 Fix unittests for out-of-source builds Signed-off-by: Steffan Karger Ack

Re: [Openvpn-devel] [PATCH applied] Use AES ciphers in our sample configuration files and add a few modern 2.4 examples

2016-08-25 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I corrected the typos and removed the added extra blank line, which Steffan noticed. Your patch has been applied to the following branches commit 6d036ebc221d933c0751107cea9efe4692c9d559 () commit 0b4707472675e809b924fd8ca907534e0da16dbb (release/

Re: [Openvpn-devel] [PATCH applied] Use AES ciphers in our sample configuration files and add a few modern 2.4 examples

2016-08-25 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 And my script failed me, the correct master branch commit is bde1b90da0db2d68d13d274102986f0ca7096c00 On 25/08/16 20:27, David Sommerseth wrote: > > I corrected the typos and removed the added extra blank line, which > Steffan noticed. > > Your p

Re: [Openvpn-devel] [PATCH] Document the --auth-token option

2016-08-25 Thread Selva Nair
Hi, Thanks for documenting this. On Thu, Aug 25, 2016 at 1:32 PM, David Sommerseth wrote: > .\"* > .TP > +.B \-\-auth\-token token > +This is not an option to be used directly in any configuration files, > +but rather push this option fr

Re: [Openvpn-devel] [PATCH applied] Fix unittests for out-of-source builds

2016-08-25 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry! I forgot to add it to release/2.3 too. Fixed that too. Your patch has been applied to the following branches commit ee4f37c3533667aee87fd39ba131e80f3c1cfde7 (master) commit 57294aaafc7397414b646d002e9326179f16eeed (release/2.3) Author: St

Re: [Openvpn-devel] [PATCH applied] Bind to local socket before dropping privileges

2016-08-25 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ACK. Tested both master and release/2.3 branches with and without this patch. On master this patch was needed to allow --lport 443 together with --user openvpn --group openvpn. On release/2.3 this patch was not needed. Your patch has been applied

Re: [Openvpn-devel] [PATCH applied] Bind to local socket before dropping privileges

2016-08-25 Thread Gert Doering
Hi, On Thu, Aug 25, 2016 at 09:15:22PM +0200, David Sommerseth wrote: > ACK. Tested both master and release/2.3 branches with and without this > patch. On master this patch was needed to allow --lport 443 together > with --user openvpn --group openvpn. On release/2.3 this patch was > not needed

[Openvpn-devel] [PATCH] Fix client connection instant timeout

2016-08-25 Thread David Sommerseth
Commit b3e975824ea9ebae8dbea5b451c8d02525c83ffe moved the finalizing of TCP/UDP sockets before the UID/GID where dropped. But this did not factor that the timeout code had been revamped [1] in the mean time. This ensures the timout initialization is done before the the socket finalizing has been

Re: [Openvpn-devel] [RFC] - Enable 2FA to be used with renegotiations

2016-08-25 Thread Steffan Karger
On 25 August 2016 at 15:45, David Sommerseth wrote: > I've been working a bit on a new patch-set which enables third-party > user/password authentication mechanisms using two factor > authentications [2FA] (such as OTP) and not needing to disable the > renegotiation features of OpenVPN. > > Curren

Re: [Openvpn-devel] [RFC] - Enable 2FA to be used with renegotiations

2016-08-25 Thread David Sommerseth
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 26/08/16 00:21, Steffan Karger wrote: > One thing I think might be useful is a timeout that forces a client > to do a full reauth. I can imagine a company policy that, for > example, requires users to perform a 2FA at least every 4 hours. > I'd wan