My server test rig has a "--auth-user-pass-verify" script that already
does client-controlled success/failure returns (setenv UV...), and
this has now learned to return client-specific messages if
$auth_failed_reason_file is set...
2022-09-17 17:44:53 AUTH: Received control message: AUTH_FAILED,you stink
.. works.
For the plugin case, I've tried to test this with my existing
"--client-connect magic hooks plugin", but it seems this functionality
is not exported to client-connect (so, CC plugin fails can only return
basic AUTH_FAIL). So I've hacked this into plugin-auth-pam, which is
used in a different server instance, and that one also works:
2022-09-17 18:07:47 AUTH: Received control message: AUTH_FAILED,my plugin does
not like you
All the other tests (client+server) still works as well, no files
are left around in /tmp/, etc.
Staring at the code took me a bit, because of the two-fold way you
did the checks - half the locations call check_for_client_reason(),
while tls_authentication_status() prefers to do it "inline" (... leading
to the gc_free()... ;-) ). Could this be unified, or am I overlooking
something? Anyway, decided to not stop progress because of this.
Your patch has been applied to the master branch.
commit 8893fe49a4c593387d469ccc4a73ec0714f69315
Author: Arne Schwabe
Date: Wed Aug 24 16:08:48 2022 +0200
Allow scripts and plugins to set a custom AUTH_FAILED message
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: Heiko Hund <[email protected]>
Message-Id: <[email protected]>
URL:
https://www.mail-archive.com/[email protected]/msg25099.html
Signed-off-by: Gert Doering <[email protected]>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
