Re: [Openvpn-devel] setting common-name from plugin

2012-03-05 Thread michael-dev 

Hi,

thanks for you reply.

I use OpenVPN in username/password mode with client-cert-not-required 
and username-as-common-name.
So by using the duplicate-cn=unset feature, multi_delete_dup already 
implements the lookup+drop functionality using the common-name, which is 
set to username in ssl.c:key_method_2_read after the authentication 
plugin is run.
I basically would want the plugin to be able to override to what 
set_common_name gets set in ssl.c, so multi_delete_dup could use the 
plugin generated value. The challenge is to combine this with the 
deferred authentication stuff, though timing already is fine.


Reimplementing using the plugin owns lookup table would do it, but 
would also be extra work that could be avoided.


Regards,
 M. Braun

Re: [Openvpn-devel] setting common-name from plugin

2012-03-02 Thread David Sommerseth 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/03/12 15:32, michael-dev wrote:
> Hi,
> 
> I've got a openvpn radius authentication plugin (username/password) 
> here [1,2]. Though my radius server is really friendly to users (e.g.
>  you might add or strip the domain as you like, upper/lower-case does
> not matter, users might have multiple usernames for different
> reasons), I still want each user to connect only ones to openvpn in
> order to mitigate sharing credentials. Radius has the
> chargeable-user-identity reply attribute that could be used to set the
> common-name, but I did not find any way in openvpn to do this from
> plugin. Could a patch adding a way to set the common name from radius
> plugin similar to return_list in OPENVPN_PLUGIN_CLIENT_CONNECT_V2 be
> accepted?
> 

I'm probably not awake enough to really understand what you try to solve.
 But if you want to change the username to become the common-name after
the authentication, I struggle to see what that really solves.

You seem to have users with multiple usernames, but want them to only
connect once - no matter which user name they use.

The username itself is sent from the client and is never really used in
OpenVPN, except being sent further to either --auth-user-pass-verify or
the a --plugin which has set the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY
flag set.

So changing the username from the plug-in would not really make any
difference at all, as a new connection from the same user would still
send the "other" username to the plug-in.

I would rather suggest enhancing your radius plug-in.  On each successful
authentication save the chargeable-user-identity response in a
lookup-table.

For each authentication, first check the user name against this
lookup-table.  If you get a match, tell OpenVPN to reject the connection
(OPENVPN_PLUGIN_FUNC_ERROR).  If there's no match, continue with the
radius authentication, retrieve chargeable-user-identity response and do
another lookup to see if you get a match on this identity instead.  If
you do, reject again.  If you don't have a match, save this identity and
report OPENVPN_PLUGIN_FUNC_SUCCESS.

You would also need to add an extra plug-in hook,
OPENVPN_PLUGIN_CLIENT_DISCONNECT.  This hook need to remove the user from
this lookup table, to allow the user to connect again later on.

Does this make sense to you?


kind regards,

David Sommerseth


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9RInoACgkQDC186MBRfrrA+wCgh3x98Q5d4qhoUyQz5K0Av2/q
KmUAn3DclppZHfR2YfNKJLwTlPcB47s/
=O5BL
-END PGP SIGNATURE-

[Openvpn-devel] setting common-name from plugin

2012-03-02 Thread michael-dev 

Hi,

I've got a openvpn radius authentication plugin (username/password) 
here [1,2]. Though my radius server is really friendly to users (e.g. 
you might add or strip the domain as you like, upper/lower-case does not 
matter, users might have multiple usernames for different reasons), I 
still want each user to connect only ones to openvpn in order to 
mitigate sharing credentials.
Radius has the chargeable-user-identity reply attribute that could be 
used to set the common-name, but I did not find any way in openvpn to do 
this from plugin.
Could a patch adding a way to set the common name from radius plugin 
similar to return_list in OPENVPN_PLUGIN_CLIENT_CONNECT_V2 be accepted?


Regards,
 M. Braun
--
[1] 
http://subversion.fem.tu-ilmenau.de/websvn/wsvn/openvpn-radius-auth/trunk/
[2] 
http://subversion.fem.tu-ilmenau.de/repository/openvpn-radius-auth/trunk/