On 27/01/17 08:27, Gert Doering wrote: > Hi, > > On Fri, Jan 27, 2017 at 12:02:21AM +0100, David Sommerseth wrote: >> On 26/01/17 19:45, Gert Doering wrote: >>> On Thu, Jan 26, 2017 at 07:36:32PM +0100, David Sommerseth wrote: >>>> Anyhow ... quick-fix/workaround: Don't use --auth-nocache >>> >>> What happens if you have --auth-nocache, the server sends a token, and >>> the token expires? Will the client get something back that it can >>> understand as "oh, I need to ask for a new password!"? >>> >>> (Sorry, I know I *should* have tested this long ago... :-) ) >> >> The when --auth-nocache is in use, the contents of password field in >> struct user_pass is wiped and later ignored, regardless if the server >> sent an --auth-token or not. > > Uh. My question did not make sense. Trying again: > > What happens if you do NOT have --auth-nocache, the server sends a token, > and the token expires? Will the client get something back that it can > understand as "oh, I need to ask for a new password!"?
Ahh! Currently, the client will disconnect due to authentication failure. This is not optimal, and definitely not how I like it! But to fix that, a massive code refactoring is needed so that the AUTH_FAILED message needed to be sent with the proper "sub-code" which can be used on the client to ask for credentials again. I have already sent some patches to the devel ML, but those need to be improved a lot before getting ready for inclusion. On the other hand, this is not a very new issue actually. If external auth-plugins rejects an authentication, it is the same situation. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users