Re: [Openvpn-devel] SSO patchset / testing server side mgmt if

Hi, On Mon, May 18, 2020 at 04:15:55PM +0200, Arne Schwabe wrote: > Implement a small e.g. python based management interface might also be > possible but it would be an example that does a lot more than just that > because you a bit more to have a something working with the management > interface

[Openvpn-devel] [PATCH v3 1/5] Implement parsing and sending INFO and INFO_PRE control messages

OpenVPN 3 implements these messages to send information during the authentication to the UI, implement these message also in OpenVPN 2.x Signed-off-by: Arne Schwabe --- src/openvpn/forward.c | 8 src/openvpn/push.c| 32 src/openvpn/push.h| 3

[Openvpn-devel] [PATCH v3 4/5] Implement sending AUTH_PENDING challenges to clients

This implements sending AUTH_PENDING and INFO_PRE messages to clients that indicate that the clients should be continue authentication with a second factor. This can currently be out of band (openurl) or a normal challenge/response two like TOTP (CR_TEXT). Unfortunately this patch spend so much

[Openvpn-devel] [PATCH v3 5/5] Implement forwarding client CR_RESPONSE messages to management

When signalling the client that it should do Challenge response without reconnecting (IV_SSO=crtext/INFOPRE=CR_TEXT), the server needs forward the response via the management console. Signed-off-by: Arne Schwabe --- doc/management-notes.txt | 30 +-

[Openvpn-devel] [PATCH v3 0/5] Implement additional two step authentication methods

This patchset implements the basic blocks for a more flexible authentication protocol in OpenVPN. The basic idea is to instead of giving a immediate deny/accept the client gets a additional challgen via the info message to a 2FA method or external authentication with URL (e.g. via SAML). The

[Openvpn-devel] [PATCH v3 2/5] Implement support for signalling IV_SSO to server

Signed-off-by: Arne Schwabe --- src/openvpn/ssl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index c2e9a4f3..f85ef3eb 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -2333,7 +2333,9 @@ push_peer_info(struct buffer *buf,

[Openvpn-devel] [PATCH v3 3/5] Implement sending response to challenge via CR_RESPONSE

When a client announces its support to support text based challenge/response via IV_SSO=crtext,the client needs to also be able to reply to that response. This adds the "cr-response" management function to be able to do this. The answer should be base64 encoded. Signed-off-by: Arne Schwabe ---

[Openvpn-devel] [PATCH applied] Re: Refuse server mode on Android

Your patch has been applied to the master branch. (I would have ACKed this, but David was faster... "#ifdef ANDROID, if not excessive, is mostly Arne's decision anyway") commit cc76e177606ba336bbcb63ebc5e4d85b4116057f Author: Arne Schwabe Date: Mon May 18 17:54:27 2020 +0200 Refuse

Re: [Openvpn-devel] [PATCH] Refuse server mode on Android

On 18/05/2020 17:54, Arne Schwabe wrote: > After the commit 042429d3 "build: Remove --disable-server from ./configure" > Android needs another way to ensure that OpenVPN is not run in server mode. > > Signed-off-by: Arne Schwabe > --- > src/openvpn/options.c | 3 +++ > 1 file changed, 3