Dear openvpn-devel list,
OpenVPN supports verification of a username/password combination on the
server-side by parsing these to a 'script' using auth-user-pass-verify'.
With this, it is possible to use a file ('via-file') or environment
variables ('via-env') to parse the given username and password for
verification. The 'script' returns exit code 0 if the username and
password are correct or non-0 if they are incorrect.
On the client-side, the only way to specify a username and a password
(using the option 'auth-user-pass') is by directly using the OpenVPN
prompt or (by default not possible because it isn't copmiled in) by
using a file with on the first line the username and on the second line
the password.
While it is easy to extend the username/password verification on the
server, it isn't easy to extend the username/password input on the
client. Even if OpenVPN is recompiled with the required option enabled
for the client to accept a username/password from an earlier process, it
is far from secure (because under some OS, like Windows, the
username/password combination must be written plain-text to the disk for
this to work).
Would it be a good idea to let OpenVPN on the client-side accept a
username and a password as input from two separate environment variables
using an extra option in the configuration file (when 'auth-user-pass'
is also used)? This would make it easier to write an enduser-friendly
front-end for OpenVPN which asks for an username and password.
My suggestion is to extend 'auth-user-pass [up]' to 'auth-user-pass
via-file [up]' and 'auth-user-pass via-env'. By using 'via-env', the
username and password should be taken from pre-specified environment
variables. Perhaps the environment variables should be 'username' and
'password', the same names 'auth-user-pass-verify' on the server uses.
Because this option would be more secure for Windows, would it also be
possible to enable 'auth-user-pass via-env' by default during compilation?
Best regards,
Zep
- [Openvpn-devel] Feature request: Client-side username/pas... The Zep Man
-
