@@ -2469,6 +2469,7 @@ open_management (struct context *c)

 			       c->options.management_state_buffer_size,

 			       c->options.management_hold,

 			       c->options.management_signal,

+			       c->options.management_forget_disconnect,

 			       c->options.management_client,

 			       c->options.management_write_peer_info_file,

 			       c->options.remap_sigusr1))

@@ -1080,6 +1080,9 @@ man_reset_client_socket (struct management *man, const bool exiting)

     }

   if (!exiting)

     {

+      if (man->settings.management_forget_disconnect)

+	 ssl_purge_auth ();

+

       if (man->settings.signal_on_disconnect) {

       	  int mysig = man_mod_signal (man, SIGUSR1);

 	  if (mysig >= 0)

@@ -1333,6 +1336,7 @@ man_settings_init (struct man_settings *ms,

 		   const int state_buffer_size,

 		   const bool hold,

 		   const bool signal_on_disconnect,

+		   const bool management_forget_disconnect,

 		   const bool connect_as_client,

 		   const char *write_peer_info_file,

 		   const int remap_sigusr1)

@@ -1371,6 +1375,12 @@ man_settings_init (struct man_settings *ms,

       ms->signal_on_disconnect = signal_on_disconnect;

       /*

+       * Should OpenVPN forget passwords when managmenet

+       * session disconnects?

+       */

+      ms->management_forget_disconnect = management_forget_disconnect;

+

+      /*

        * Should OpenVPN connect to management interface as a client

        * rather than a server?

        */

@@ -1513,6 +1523,7 @@ management_open (struct management *man,

 		 const int state_buffer_size,

 		 const bool hold,

 		 const bool signal_on_disconnect,

+		 const bool management_forget_disconnect,

 		 const bool connect_as_client,

 		 const char *write_peer_info_file,

 		 const int remap_sigusr1)

@@ -1534,6 +1545,7 @@ management_open (struct management *man,

 		     state_buffer_size,

 		     hold,

 		     signal_on_disconnect,

+		     management_forget_disconnect,

 		     connect_as_client,

 		     write_peer_info_file,

 		     remap_sigusr1);

@@ -206,6 +206,7 @@ struct man_settings {

   bool server;

   bool hold;

   bool signal_on_disconnect;

+  bool management_forget_disconnect;

   bool connect_as_client;

   char *write_peer_info_file;

@@ -283,6 +284,7 @@ bool management_open (struct management *man,

 		      const int state_buffer_size,

 		      const bool hold,

 		      const bool signal_on_disconnect,

+		      const bool management_forget_disconnect,

 		      const bool connect_as_client,

 		      const char *write_peer_info_file,

 		      const int remap_sigusr1);

@@ -179,6 +179,7 @@ openvpn \- secure IP tunnel daemon.

 [\ \fB\-\-log\fR\ \fIfile\fR\ ]

 [\ \fB\-\-suppress-timestamps\fR\ ]

 [\ \fB\-\-lport\fR\ \fIport\fR\ ]

+[\ \fB\-\-management\-forget\-disconnect\fR\ ]

 [\ \fB\-\-management\-hold\fR\ ]

 [\ \fB\-\-management\-log\-cache\fR\ \fIn\fR\ ]

 [\ \fB\-\-management\-signal\fR\ ]

@@ -2325,6 +2326,15 @@ for inputs which ordinarily would have been queried from the

 console.

 .\"*********************************************************

 .TP

+.B --management-forget-disconnect

+Make OpenVPN forget passwords when management session

+disconnects.

+

+This directive does not affect the

+.B --http-proxy

+username/password.  It is always cached.

+.\"*********************************************************

+.TP

 .B --management-hold

 Start OpenVPN in a hibernating state, until a client

 of the management interface explicitly starts it

@@ -318,6 +318,8 @@ static const char usage_message[] =

   "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"

   "                    of the management interface explicitly starts it.\n"

   "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"

+  "--management-forget-disconnect : Forget passwords when management disconnect\n"

+  "                                 event occurs.\n"

   "--management-log-cache n : Cache n lines of log file history for usage\n"

   "                  by the management channel.\n"

 #endif

@@ -1202,6 +1204,7 @@ show_settings (const struct options *o)

   SHOW_BOOL (management_hold);

   SHOW_BOOL (management_client);

   SHOW_BOOL (management_signal);

+  SHOW_BOOL (management_forget_disconnect);

   SHOW_STR (management_write_peer_info_file);

 #endif

 #ifdef ENABLE_PLUGIN

@@ -1527,7 +1530,8 @@ options_postprocess (struct options *options, bool first_time)

 #ifdef ENABLE_MANAGEMENT

   if (!options->management_addr &&

       (options->management_query_passwords || options->management_hold || options->management_signal

-       || options->management_client || options->management_write_peer_info_file

+       || options->management_forget_disconnect || options->management_client

+       || options->management_write_peer_info_file

        || options->management_log_history_cache != defaults.management_log_history_cache))

     msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");

 #endif

@@ -3152,6 +3156,11 @@ add_option (struct options *options,

       VERIFY_PERMISSION (OPT_P_GENERAL);

       options->management_signal = true;

     }

+  else if (streq (p[0], "management-forget-disconnect"))

+    {

+      VERIFY_PERMISSION (OPT_P_GENERAL);

+      options->management_forget_disconnect = true;

+    }

   else if (streq (p[0], "management-client"))

     {

       VERIFY_PERMISSION (OPT_P_GENERAL);

@@ -284,6 +284,7 @@ struct options

   bool management_query_passwords;

   bool management_hold;

   bool management_signal;

+  bool management_forget_disconnect;

   bool management_client;

   const char *management_write_peer_info_file;

 #endif