Hi, On Sun, Oct 09, 2022 at 03:51:36PM +0200, Gert Doering wrote: > Recording David's and Heiko's ACK, they have done the stare-at-code > and actual testing (I have run t_client tests, but they do not excercise > this problem with my current test servers - need to add more variants).
Just for the records - testing this with 2.x OpenVPN as server seems
to be impossible using built-in --auth-gen-token or using the script
interface to --auth-user-pass-verify + --client-connect, because of
various reasons (--auth-gen-token does not even trigger when there is
no initial username, and the script approach interferes with TLS
username locking - patch for that on the list).
That said, I found a way to stage the server side, and can now confirm
that *without* this patch, the sequence
- client without --auth-user-pass
- server pushes --auth-token-user + --auth-token
- client sends these as future username/password
- token expire, servers sends AUTH_FAIL
will lead to
- client stops, asking for "Enter Auth Username:" without the patch
- client reverts to sending "no username+password" *with* the patch
(the client declares this a "reconnect" and waits 5 seconds, but
the connection will recover without user interaction)
(tested for both 2.5 and master)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany [email protected]
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
