Hi, On Mon, Dec 14, 2015 at 4:56 PM, Wayne Davison <[email protected]> wrote:
> > On Thu, Dec 10, 2015 at 8:57 AM, Wayne Davison <[email protected]> > wrote: > >> src/openvpn/misc.c | 119 >> +++++++++++++++++++++++++---------------------------- >> 1 file changed, 57 insertions(+), 62 deletions(-) >> > > Any questions I can answer about this patch? This is such a > straight-forward bug with a simple fix that I'd hope that it makes it into > the upcoming release. (The patch is mainly re-indenting, which bloats it a > good bit.) > I took a quick look and it seems a simplified patch that addresses the most critical-sounding issue (challenge/reponse not prompted for from stdin) may be more useful. >From the cover-letter to the patches: There is a bug in the challenge/response code when the username & password > is read from a file -- the response is never prompted for. This bug > affects > older versions, including 2.3.8. > A patch that fixes that and only that is easier to review. I also added code to read the response out of the --auth-user-pass file if > there is a 3rd line present. This is particularly useful for an 2FA setup > where the response is unchanging (in my case it is always "push" for a Duo > Push). > I see no compelling reason to read response to a challenge from a file. If the response is unchanging, its a misuse of challenge/response. Implemet the check on the server such that it doesn't have to hear "push" every time from the client. In case of, duo it could be an out-of-band way to add user preferences on the sever saying user1 prefers push, user2 phone, user3 sms etc. Or send it attached to the username or password and parse it in the server-side user-pass-verify script or in a custom pam_module, for example. This is a custom use case trying to exploit CR for something else. Nothing wrong with that, but may be done without adding a new "feature" into OpenVPN. Selva
