From ea545a0e8c25858f4cd165f5981ea74b654d9e92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Sat, 16 Mar 2024 14:56:31 +0100 Subject: [PATCH] [PATCH] Introduce `external-auth` flag to make client-side authentication methods optional --- doc/man-sections/client-options.rst | 17 +++++++++++++++++ src/openvpn/options.c | 12 +++++++++--- src/openvpn/options.h | 1 + 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index b75fe5bdbad..2a337d33efe 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -87,6 +87,23 @@ configuration. The server configuration must specify an ``--auth-user-pass-verify`` script to verify the username/password provided by the client. +--external-auth + This client-only option indicates that user authentication options in the + client configuration are not mandatory. For security reasons, OpenVPN + requires client-side credentials such as client certificates or a + username/password combination. The OpenVPN server has the capability to + delegate authentication to external systems using the WEBAUTH protocol. + In such cases, client credentials may be omitted. + + ***Security Considerations*** + + When the ``--external-auth`` option is enabled in OpenVPN, it bypasses the + check that some form of user authentication method is specified. This + configuration can potentially create a risky environment where an OpenVPN + server operates without requiring authentication. If you opt to utilize + ``--external-auth``, it's crucial to thoroughly validate that the OpenVPN + server has been adequately secured. + --auth-retry type Controls how OpenVPN responds to username/password verification errors such as the client-side response to an :code:`AUTH_FAILED` message from diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 94a88f949d6..90f38b0b85d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -499,6 +499,7 @@ static const char usage_message[] = " and a password on the second. If either the password or both\n" " the username and the password are omitted OpenVPN will prompt\n" " for them from console.\n" + "--external-auth : If set, client-side credentials are optional.\n" "--pull : Accept certain config file options from the peer as if they\n" " were part of the local config file. Must be specified\n" " when connecting to a '--mode server' remote host.\n" @@ -3004,12 +3005,12 @@ options_postprocess_verify_ce(const struct options *options, if (sum == 0) { - if (!options->auth_user_pass_file) + if (!options->auth_user_pass_file && !options->external_auth) { msg(M_USAGE, "No client-side authentication method is " "specified. You must use either " - "--cert/--key, --pkcs12, or " - "--auth-user-pass"); + "--cert/--key, --pkcs12, " + "--auth-user-pass, or --external-auth"); } } else if (sum != 2) @@ -7917,6 +7918,11 @@ add_option(struct options *options, options->auth_user_pass_file = "stdin"; } } + else if (streq(p[0], "external-auth") && !p[1]) + { + VERIFY_PERMISSION(OPT_P_GENERAL); + options->external_auth = true; + } else if (streq(p[0], "auth-retry") && p[1] && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 2b37d1fc449..515462aafb6 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -542,6 +542,7 @@ struct options const char *auth_user_pass_file; bool auth_user_pass_file_inline; struct options_pre_connect *pre_connect; + bool external_auth; int scheduled_exit_interval;