Clarify and expand the documentation for the management interface:
* Add examples of static and dynamic challenge/response sequences in
the "COMMAND -- password and username" section.
* Expand the "Challenge/Response" section with more detail.
* Use "management interface client" throughout (instead of "management
client", which was used in several places previously).
* Clarify when both a username and password are needed, not just a
username or a password.
* Clarify that an exit with a fatal error for a dynamic C/R will occur
only if "--auth-retry none" (the default) is in effect.
* Fix a typo. ("posesses" => "possesses").
Signed-off-by: Jonathan K. Bullard <jkbullard@gmail.com>
Acked-by: Selva Nair <selva.nair@gmail.com>
Message-Id: <nEV9l80I3peitTd26qmQFpeoaQbEO-IR74B1gOvCLv-IfvQKjNfL9UnZq1aWr20480nGcbkSnhA-mSGEI5kG7JBMsGpNbNf2FExV3CSzRf4=@protonmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17390.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -12,7 +12,8 @@ as a client or server. |
12 | 12 |
|
13 | 13 |
The management interface is implemented using a client/server TCP |
14 | 14 |
connection or unix domain socket where OpenVPN will listen on a |
15 |
-provided IP address and port for incoming management client connections. |
|
15 |
+provided IP address and port for incoming management interface client |
|
16 |
+connections. |
|
16 | 17 |
|
17 | 18 |
The management protocol is currently cleartext without an explicit |
18 | 19 |
security layer. For this reason, it is recommended that the |
... | ... |
@@ -104,7 +105,7 @@ be in the list, and it will cause the management interface |
104 | 104 |
to save the "forget-passwords" string in its list of echo |
105 | 105 |
parameters. |
106 | 106 |
|
107 |
-The management client can use "echo all" to output the full |
|
107 |
+The management interface client can use "echo all" to output the full |
|
108 | 108 |
list of echoed parameters, "echo on" to turn on real-time |
109 | 109 |
notification of echoed parameters via the ">ECHO:" prefix, |
110 | 110 |
or "echo off" to turn off real-time notification. |
... | ... |
@@ -118,10 +119,10 @@ like this: |
118 | 118 |
|
119 | 119 |
Essentially the echo command allowed us to pass parameters from |
120 | 120 |
the OpenVPN server to the OpenVPN client, and then to the |
121 |
-management client (such as a GUI). The large integer is the |
|
121 |
+management interface client (such as a GUI). The large integer is the |
|
122 | 122 |
unix date/time when the echo parameter was received. |
123 | 123 |
|
124 |
-If the management client had issued the command "echo on", |
|
124 |
+If the management interface client had issued the command "echo on", |
|
125 | 125 |
it would have enabled real-time notifications of echo |
126 | 126 |
parameters. In this case, our "forget-passwords" message |
127 | 127 |
would be output like this: |
... | ... |
@@ -139,10 +140,10 @@ messages. |
139 | 139 |
COMMAND -- exit, quit |
140 | 140 |
--------------------- |
141 | 141 |
|
142 |
-Close the managment session, and resume listening on the |
|
142 |
+Close the management session, and resume listening on the |
|
143 | 143 |
management port for connections from other clients. Currently, |
144 |
-the OpenVPN daemon can at most support a single management client |
|
145 |
-any one time. |
|
144 |
+the OpenVPN daemon can at most support a single management interface |
|
145 |
+client any one time. |
|
146 | 146 |
|
147 | 147 |
COMMAND -- help |
148 | 148 |
--------------- |
... | ... |
@@ -167,7 +168,7 @@ The hold flag setting is persistent and will not |
167 | 167 |
be reset by restarts. |
168 | 168 |
|
169 | 169 |
OpenVPN will indicate that it is in a hold state by |
170 |
-sending a real-time notification to the management |
|
170 |
+sending a real-time notification to the management interface |
|
171 | 171 |
client, the parameter indicates how long OpenVPN would |
172 | 172 |
wait without UI (as influenced by connect-retry exponential |
173 | 173 |
backoff). The UI needs to wait for releasing the hold if it |
... | ... |
@@ -275,7 +276,7 @@ COMMAND -- password and username |
275 | 275 |
OpenVPN is indicating that it needs a password of type |
276 | 276 |
"Private Key". |
277 | 277 |
|
278 |
- The management client should respond to this query as follows: |
|
278 |
+ The management interface client should respond as follows: |
|
279 | 279 |
|
280 | 280 |
password "Private Key" foo |
281 | 281 |
|
... | ... |
@@ -283,8 +284,8 @@ COMMAND -- password and username |
283 | 283 |
|
284 | 284 |
>PASSWORD:Need 'Auth' username/password |
285 | 285 |
|
286 |
- OpenVPN needs a --auth-user-pass password. The management |
|
287 |
- client should respond: |
|
286 |
+ OpenVPN needs a --auth-user-pass username and password. The |
|
287 |
+ management interface client should respond: |
|
288 | 288 |
|
289 | 289 |
username "Auth" foo |
290 | 290 |
password "Auth" bar |
... | ... |
@@ -307,7 +308,8 @@ COMMAND -- password and username |
307 | 307 |
>PASSWORD:Verification Failed: 'Private Key' |
308 | 308 |
|
309 | 309 |
Example 4: The --auth-user-pass username/password failed, |
310 |
- and OpenVPN is exiting: |
|
310 |
+ and OpenVPN will exit with a fatal error if '--auth-retry none' |
|
311 |
+ (which is the default) is in effect: |
|
311 | 312 |
|
312 | 313 |
>PASSWORD:Verification Failed: 'Auth' |
313 | 314 |
|
... | ... |
@@ -322,6 +324,37 @@ COMMAND -- password and username |
322 | 322 |
|
323 | 323 |
>PASSWORD:Auth-Token:foobar |
324 | 324 |
|
325 |
+ Example 7: Static challenge/response: |
|
326 |
+ |
|
327 |
+ >PASSWORD:Need 'Auth' username/password SC:1,Please enter token PIN |
|
328 |
+ |
|
329 |
+ OpenVPN needs an --auth-user-pass username and password and the |
|
330 |
+ response to a challenge. The user's response to "Please enter |
|
331 |
+ token PIN" should be obtained and included in the management |
|
332 |
+ interface client's response along with the username and password |
|
333 |
+ formatted as described in the Challenge/Response Protocol section |
|
334 |
+ below. |
|
335 |
+ |
|
336 |
+ Example 8: Dynamic challenge/response: |
|
337 |
+ |
|
338 |
+ >PASSWORD:Verification Failed: ['CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN'] |
|
339 |
+ |
|
340 |
+ The previous --auth-user-pass username/password failed or is not |
|
341 |
+ fully complete, and the server provided a custom |
|
342 |
+ client-reason-text string indicating that a dynamic |
|
343 |
+ challenge/response should occur the next time that a "Need 'Auth' |
|
344 |
+ username/password" message is seen. |
|
345 |
+ |
|
346 |
+ When the next "Need 'Auth' username/password" without a static |
|
347 |
+ challenge is seen, the user's response to "Please enter token PIN" |
|
348 |
+ should be obtained and included in the management interface client's |
|
349 |
+ response along with the username and password formatted as described |
|
350 |
+ in the Challenge/Response Protocol section below |
|
351 |
+ |
|
352 |
+See the "Challenge/Response Protocol" section below for more details |
|
353 |
+about examples 7 and 8, including how the management interface client |
|
354 |
+should respond. |
|
355 |
+ |
|
325 | 356 |
COMMAND -- forget-passwords |
326 | 357 |
--------------------------- |
327 | 358 |
|
... | ... |
@@ -464,10 +497,10 @@ Example: |
464 | 464 |
|
465 | 465 |
>NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert your cryptographic token |
466 | 466 |
|
467 |
- The management client, if it is a GUI, can flash a dialog |
|
467 |
+ The management interface client, if it is a GUI, can flash a dialog |
|
468 | 468 |
box containing the text after the "MSG:" marker to the user. |
469 | 469 |
When the user acknowledges the dialog box, |
470 |
- the management client can issue this command: |
|
470 |
+ the management interface client should issue either: |
|
471 | 471 |
|
472 | 472 |
needok token-insertion-request ok |
473 | 473 |
or |
... | ... |
@@ -486,10 +519,10 @@ Example: |
486 | 486 |
|
487 | 487 |
>NEED-STR:Need 'name' input MSG:Please specify your name |
488 | 488 |
|
489 |
- The management client, if it is a GUI, can flash a dialog |
|
489 |
+ The management interface client, if it is a GUI, can flash a dialog |
|
490 | 490 |
box containing the text after the "MSG:" marker to the user. |
491 | 491 |
When the user acknowledges the dialog box, |
492 |
- the management client can issue this command: |
|
492 |
+ the management interface client should issue this command: |
|
493 | 493 |
|
494 | 494 |
needstr name "John" |
495 | 495 |
|
... | ... |
@@ -507,7 +540,7 @@ COMMAND -- pkcs11-id-get (OpenVPN 2.1 or higher) |
507 | 507 |
------------------------------------------------- |
508 | 508 |
|
509 | 509 |
Retrieve certificate by index, the ID string should be provided |
510 |
-as PKCS#11 identity, the blob is BASE64 encoded certificate. |
|
510 |
+as PKCS#11 identity, the blob is a base 64 encoded certificate. |
|
511 | 511 |
|
512 | 512 |
Example: |
513 | 513 |
|
... | ... |
@@ -797,9 +830,9 @@ pk-sig (or rsa-sig) |
797 | 797 |
. |
798 | 798 |
END |
799 | 799 |
|
800 |
-Base64 encoded output of RSA_private_encrypt for RSA or ECDSA_sign() for EC |
|
801 |
-using OpenSSL or mbedtls_pk_sign() using mbed TLS will provide a correct |
|
802 |
-signature. |
|
800 |
+Base 64 encoded output of RSA_private_encrypt for RSA or ECDSA_sign() |
|
801 |
+for EC using OpenSSL or mbedtls_pk_sign() using mbed TLS will provide a |
|
802 |
+correct signature. |
|
803 | 803 |
|
804 | 804 |
This capability is intended to allow the use of arbitrary cryptographic |
805 | 805 |
service providers with OpenVPN via the management interface. |
... | ... |
@@ -817,7 +850,7 @@ to the management interface with a hint as follows: |
817 | 817 |
>NEED-CERTIFICATE:macosx-keychain:subject:o=OpenVPN-TEST |
818 | 818 |
|
819 | 819 |
The management interface client should use the hint to obtain the specific |
820 |
-SSL certificate and then return base64 encoded certificate as follows: |
|
820 |
+SSL certificate and then return base 64 encoded certificate as follows: |
|
821 | 821 |
|
822 | 822 |
certificate |
823 | 823 |
[BASE64_CERT_LINE] |
... | ... |
@@ -890,7 +923,7 @@ NEED-STR -- OpenVPN needs information from end, such as |
890 | 890 |
a certificate to use. The "needstr" command can |
891 | 891 |
be used to tell OpenVPN to continue. |
892 | 892 |
|
893 |
-PASSWORD -- Used to tell the management client that OpenVPN |
|
893 |
+PASSWORD -- Used to tell the management interface client that OpenVPN |
|
894 | 894 |
needs a password, also to indicate password |
895 | 895 |
verification failure. |
896 | 896 |
|
... | ... |
@@ -988,70 +1021,116 @@ generate challenge questions that are shown to the user, and to see |
988 | 988 |
the user's responses to those challenges. Based on the responses, the |
989 | 989 |
server can allow or deny access. |
990 | 990 |
|
991 |
-In this way, the OpenVPN Challenge/Response Protocol can be used |
|
992 |
-to implement multi-factor authentication. Two different |
|
993 |
-variations on the challenge/response protocol are supported: the |
|
994 |
-"Dynamic" and "Static" protocols. |
|
991 |
+The protocol can be used to implement multi-factor authentication |
|
992 |
+because the user must enter an additional piece of information, |
|
993 |
+in addition to a username and password, to successfully authenticate. |
|
994 |
+In multi-factor authentication, this information is used to prove |
|
995 |
+that the user possesses a certain key-like device such as |
|
996 |
+cryptographic token or a particular mobile phone. |
|
997 |
+ |
|
998 |
+Two variations on the challenge/response protocol are supported: |
|
999 |
+the "static" and "dynamic" protocols: |
|
1000 |
+ |
|
1001 |
+ * The static protocol uses OpenVPN's "--static-challenge" option. |
|
995 | 1002 |
|
996 |
-The basic idea of Challenge/Response is that the user must enter an |
|
997 |
-additional piece of information, in addition to the username and |
|
998 |
-password, to successfully authenticate. Normally, this information |
|
999 |
-is used to prove that the user posesses a certain key-like device |
|
1000 |
-such as cryptographic token or a particular mobile phone. |
|
1003 |
+ * The dynamic protocol does not involve special OpenVPN options |
|
1004 |
+ or actions. It is an agreement between the auth-user-pass |
|
1005 |
+ verification process on the server and the management interface |
|
1006 |
+ client to use custom strings that begin with "['CRV1" in |
|
1007 |
+ "Verification Failed" messages. (The "[" character and a matching |
|
1008 |
+ "]" character at the end of the message are added by the client |
|
1009 |
+ OpenVPN program, and are not present in the string generated by the |
|
1010 |
+ auth-user-pass verification process or in the string sent by the |
|
1011 |
+ server.) |
|
1001 | 1012 |
|
1002 | 1013 |
Dynamic protocol: |
1003 | 1014 |
|
1004 | 1015 |
The OpenVPN dynamic challenge/response protocol works by returning |
1005 | 1016 |
a specially formatted error message after initial successful |
1006 |
-authentication. This error message contains the challenge question, |
|
1007 |
-and is formatted as such: |
|
1017 |
+authentication. The error message has two purposes: |
|
1018 |
+ |
|
1019 |
+ 1. It causes OpenVPN to restart the connection attempt. |
|
1020 |
+ |
|
1021 |
+ 2. It contains information about the challenge, which should be used |
|
1022 |
+ to construct the response to the next authentication request (which |
|
1023 |
+ will occur after the restart). |
|
1024 |
+ |
|
1025 |
+Notes: |
|
1008 | 1026 |
|
1009 |
- CRV1:<flags>:<state_id>:<username_base64>:<challenge_text> |
|
1027 |
+ * '--auth-retry interact' must be in effect so that the |
|
1028 |
+ connection is restarted and credentials are requested again. |
|
1010 | 1029 |
|
1011 |
-flags: a series of optional, comma-separated flags: |
|
1012 |
- E : echo the response when the user types it |
|
1013 |
- R : a response is required |
|
1030 |
+ * '--auth-retry none' (which is the default) will cause |
|
1031 |
+ OpenVPN to exit with a fatal error without retrying and the dynamic |
|
1032 |
+ challenge/response will never happen because "Need 'Auth' |
|
1033 |
+ username/password" will not be sent. |
|
1014 | 1034 |
|
1015 |
-state_id: an opaque string that should be returned to the server |
|
1016 |
- along with the response. |
|
1035 |
+The error message is formatted as follows: |
|
1017 | 1036 |
|
1018 |
-username_base64 : the username formatted as base64 |
|
1037 |
+ >PASSWORD:Verification Failed: 'Auth' ['CRV1:<flags>:<state_id>:<username_base64>:<challenge_text>'] |
|
1019 | 1038 |
|
1020 |
-challenge_text : the challenge text to be shown to the user |
|
1039 |
+<flags>: a series of optional, comma-separated flags: |
|
1040 |
+ E : echo the response when the user types it. |
|
1041 |
+ R : a response is required. |
|
1042 |
+ |
|
1043 |
+<state_id>: an opaque string that should be returned to the server |
|
1044 |
+ along with the response. |
|
1045 |
+ |
|
1046 |
+<username_base64>: the username encoded as base 64. |
|
1047 |
+ |
|
1048 |
+<challenge_text>: the challenge text to be shown to the user. |
|
1049 |
+ |
|
1050 |
+<state_id> may not contain colon characters (":"), but <challenge_text> |
|
1051 |
+may. |
|
1021 | 1052 |
|
1022 | 1053 |
Example challenge: |
1023 | 1054 |
|
1024 | 1055 |
CRV1:R,E:Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l:Y3Ix:Please enter token PIN |
1025 | 1056 |
|
1026 |
-After showing the challenge_text and getting a response from the user |
|
1027 |
-(if R flag is specified), the client should submit the following |
|
1028 |
-auth creds back to the OpenVPN server: |
|
1057 |
+The next time the username and password are requested with |
|
1058 |
+ |
|
1059 |
+ >PASSWORD:Need 'Auth' username/password |
|
1060 |
+ |
|
1061 |
+the management interface client should display the challenge text and, |
|
1062 |
+if the R flag is specified, get a response from the user. The management |
|
1063 |
+interface client should respond: |
|
1029 | 1064 |
|
1030 |
-Username: [username decoded from username_base64] |
|
1031 |
-Password: CRV1::<state_id>::<response_text> |
|
1065 |
+ username "Auth" <username> |
|
1066 |
+ password "Auth" CRV1::<state_id>::<response_text> |
|
1032 | 1067 |
|
1033 |
-Where state_id is taken from the challenge request and response_text |
|
1034 |
-is what the user entered in response to the challenge_text. |
|
1035 |
-If the R flag is not present, response_text may be the empty |
|
1036 |
-string. |
|
1068 |
+Where <username> is the username decoded from <username_base64>, |
|
1069 |
+<state_id> is taken from the challenge request, and <response_text> |
|
1070 |
+is what the user entered in response to the challenge, which can be an |
|
1071 |
+empty string. If the R flag is not present, <response_text> should |
|
1072 |
+be an empty string. |
|
1073 |
+ |
|
1074 |
+(As in all username/password responses described in the "COMMAND -- |
|
1075 |
+password and username" section above, the username and/or password |
|
1076 |
+can be in quotes, and special characters such as double quotes or |
|
1077 |
+backslashes must be escaped. See the "Command Parsing" section above |
|
1078 |
+for more info.) |
|
1037 | 1079 |
|
1038 | 1080 |
Example response (suppose the user enters "8675309" for the token PIN): |
1039 | 1081 |
|
1040 |
- Username: cr1 ("Y3Ix" base64 decoded) |
|
1041 |
- Password: CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::8675309 |
|
1082 |
+ username "Auth" cr1 |
|
1083 |
+ password "Auth" CRV1::Om01u7Fh4LrGBS7uh0SWmzwabUiGiW6l::8675309 |
|
1084 |
+ |
|
1085 |
+("Y3Ix" is the base 64 encoding of "cr1".) |
|
1042 | 1086 |
|
1043 | 1087 |
Static protocol: |
1044 | 1088 |
|
1045 | 1089 |
The static protocol differs from the dynamic protocol in that the |
1046 |
-challenge question and response field is given to the user in the |
|
1047 |
-initial username/password dialog, and the username, password, and |
|
1048 |
-response are delivered back to the server in a single transaction. |
|
1090 |
+challenge question is sent to the management interface client in a |
|
1091 |
+a username/password request, and the username, password, and |
|
1092 |
+response are delivered back to the server in response to that |
|
1093 |
+request. |
|
1049 | 1094 |
|
1050 |
-The "static-challenge" directive is used to give the challenge text |
|
1051 |
-to OpenVPN and indicate whether or not the response should be echoed. |
|
1095 |
+OpenVPN's --static-challenge option is used to provide the |
|
1096 |
+challenge text to OpenVPN and indicate whether or not the response |
|
1097 |
+should be echoed. |
|
1052 | 1098 |
|
1053 |
-When the "static-challenge" directive is used, the management |
|
1054 |
-interface will respond as such when credentials are needed: |
|
1099 |
+When credentials are needed and the --static-challenge option is |
|
1100 |
+used, the management interface will send: |
|
1055 | 1101 |
|
1056 | 1102 |
>PASSWORD:Need 'Auth' username/password SC:<ECHO>,<TEXT> |
1057 | 1103 |
|
... | ... |
@@ -1064,28 +1143,35 @@ For example: |
1064 | 1064 |
>PASSWORD:Need 'Auth' username/password SC:1,Please enter token PIN |
1065 | 1065 |
|
1066 | 1066 |
The above notification indicates that OpenVPN needs a --auth-user-pass |
1067 |
-password plus a response to a static challenge ("Please enter token PIN"). |
|
1068 |
-The "1" after the "SC:" indicates that the response should be echoed. |
|
1067 |
+username and password plus a response to a static challenge ("Please |
|
1068 |
+enter token PIN"). The "1" after the "SC:" indicates that the response |
|
1069 |
+should be echoed. |
|
1069 | 1070 |
|
1070 | 1071 |
The management interface client in this case should add the static |
1071 | 1072 |
challenge text to the auth dialog followed by a field for the user to |
1072 |
-enter a response. Then the client should pack the password and response |
|
1073 |
-together into an encoded password: |
|
1073 |
+enter a response. Then the management interface client should pack the |
|
1074 |
+password and response together into an encoded password and send: |
|
1074 | 1075 |
|
1075 |
- username "Auth" foo |
|
1076 |
- password "Auth" "SCRV1:<BASE64_PASSWORD>:<BASE64_RESPONSE>" |
|
1076 |
+ username "Auth" <username> |
|
1077 |
+ password "Auth" "SCRV1:<password_base64>:<response_base64>" |
|
1077 | 1078 |
|
1078 |
-For example, if the user entered "bar" as the password and 8675309 |
|
1079 |
+Where <username> is the username entered by the user, <password_base64> |
|
1080 |
+is the base 64 encoding of the password entered by the user, and |
|
1081 |
+<response_base64> is the base 64 encoding of the response entered by |
|
1082 |
+the user. The <password_base64> and/or the <response_base64> can be |
|
1083 |
+empty strings. |
|
1084 |
+ |
|
1085 |
+(As in all username/password responses described in the "COMMAND -- |
|
1086 |
+password and username" section above, the username can be in quotes, |
|
1087 |
+and special characters such as double quotes or backslashes must be |
|
1088 |
+escaped. See the "Command Parsing" section above for more info.) |
|
1089 |
+ |
|
1090 |
+For example, if user "foo" entered "bar" as the password and 8675309 |
|
1079 | 1091 |
as the PIN, the following management interface commands should be |
1080 | 1092 |
issued: |
1081 | 1093 |
|
1082 | 1094 |
username "Auth" foo |
1083 |
- password "Auth" "SCRV1:Zm9v:ODY3NTMwOQ==" |
|
1084 |
- |
|
1085 |
-Client-side support for challenge/response protocol: |
|
1095 |
+ password "Auth" "SCRV1:YmFy:ODY3NTMwOQ==" |
|
1086 | 1096 |
|
1087 |
-Currently, the Access Server client and standalone OpenVPN |
|
1088 |
-client support both static and dynamic challenge/response |
|
1089 |
-protocols. However, any OpenVPN client UI that drives OpenVPN |
|
1090 |
-via the management interface needs to add explicit support |
|
1091 |
-for the challenge/response protocol. |
|
1097 |
+ ("YmFy" is the base 64 encoding of "bar" and "ODY3NTMwOQ==" is the |
|
1098 |
+ base 64 encoding of "8675309".) |