This isn't an option to be used directly in any configuration files,
but to be used via --client-connect scripts or --plugin making use of
OPENVPN_PLUGIN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2.
[v2 - Added lacking .B styling of options
- Clarified the token life time ]
Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1474118415-14666-1-git-send-email-davids@openvpn.net>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg12506.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit f8a367f7c51af5482013fa3d783cade376b047ed)
... | ... |
@@ -4,7 +4,7 @@ |
4 | 4 |
.\" packet encryption, packet authentication, and |
5 | 5 |
.\" packet compression. |
6 | 6 |
.\" |
7 |
-.\" Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> |
|
7 |
+.\" Copyright (C) 2002-2016 OpenVPN Technologies, Inc. <sales@openvpn.net> |
|
8 | 8 |
.\" |
9 | 9 |
.\" This program is free software; you can redistribute it and/or modify |
10 | 10 |
.\" it under the terms of the GNU General Public License version 2 |
... | ... |
@@ -34,7 +34,7 @@ |
34 | 34 |
.\" .ft -- normal face |
35 | 35 |
.\" .in +|-{n} -- indent |
36 | 36 |
.\" |
37 |
-.TH openvpn 8 "17 November 2008" |
|
37 |
+.TH openvpn 8 "25 August 2016" |
|
38 | 38 |
.\"********************************************************* |
39 | 39 |
.SH NAME |
40 | 40 |
openvpn - secure IP tunnel daemon. |
... | ... |
@@ -2889,6 +2889,7 @@ This is a partial list of options which can currently be pushed: |
2889 | 2889 |
.B \-\-ip\-win32, \-\-dhcp\-option, |
2890 | 2890 |
.B \-\-inactive, \-\-ping, \-\-ping\-exit, \-\-ping\-restart, |
2891 | 2891 |
.B \-\-setenv, |
2892 |
+.B \-\-auth\-token, |
|
2892 | 2893 |
.B \-\-persist\-key, \-\-persist\-tun, \-\-echo, |
2893 | 2894 |
.B \-\-comp\-lzo, |
2894 | 2895 |
.B \-\-socket\-flags, |
... | ... |
@@ -4830,6 +4831,57 @@ This directive does not affect the |
4830 | 4830 |
username/password. It is always cached. |
4831 | 4831 |
.\"********************************************************* |
4832 | 4832 |
.TP |
4833 |
+.B \-\-auth\-token token |
|
4834 |
+This is not an option to be used directly in any configuration files, |
|
4835 |
+but rather push this option from a |
|
4836 |
+.B \-\-client\-connect |
|
4837 |
+script or a |
|
4838 |
+.B \-\-plugin |
|
4839 |
+which hooks into the OPENVPN_PLUGIN_CLIENT_CONNECT or |
|
4840 |
+OPENVPN_PLUGIN_CLIENT_CONNECT_V2 calls. This option provides |
|
4841 |
+a possibility to replace the clients password with an authentication |
|
4842 |
+token during the lifetime of the OpenVPN client. |
|
4843 |
+ |
|
4844 |
+Whenever the connection is renegotiated and the |
|
4845 |
+.B \-\-auth\-user\-pass\-verify |
|
4846 |
+script or |
|
4847 |
+.B \-\-plugin |
|
4848 |
+making use of the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is |
|
4849 |
+triggered, it will pass over this token as the password |
|
4850 |
+instead of the password the user provided. The authentication |
|
4851 |
+token can only be reset by a full reconnect where the server |
|
4852 |
+can push new options to the client. The password the user entered |
|
4853 |
+is never preserved once an authentication token have been set. If |
|
4854 |
+the OpenVPN server side rejects the authentication token, the |
|
4855 |
+client will receive an AUTH_FAIL and disconnect. |
|
4856 |
+ |
|
4857 |
+The purpose of this is to enable two factor authentication |
|
4858 |
+methods, such as HOTP or TOTP, to be used without needing to |
|
4859 |
+retrieve a new OTP code each time the connection is renegotiated. |
|
4860 |
+Another use case is to cache authentication data on the client |
|
4861 |
+without needing to have the users password cached in memory |
|
4862 |
+during the life time of the session. |
|
4863 |
+ |
|
4864 |
+To make use of this feature, the |
|
4865 |
+.B \-\-client\-connect |
|
4866 |
+script or |
|
4867 |
+.B \-\-plugin |
|
4868 |
+needs to put |
|
4869 |
+ |
|
4870 |
+.nf |
|
4871 |
+.ft 3 |
|
4872 |
+.in +4 |
|
4873 |
+push "auth\-token UNIQUE_TOKEN_VALUE" |
|
4874 |
+.in -4 |
|
4875 |
+.ft |
|
4876 |
+.fi |
|
4877 |
+ |
|
4878 |
+into the file/buffer for dynamic configuration data. This |
|
4879 |
+will then make the OpenVPN server to push this value to the |
|
4880 |
+client, which replaces the local password with the |
|
4881 |
+UNIQUE_TOKEN_VALUE. |
|
4882 |
+.\"********************************************************* |
|
4883 |
+.TP |
|
4833 | 4884 |
.B \-\-tls\-verify cmd |
4834 | 4885 |
Run command |
4835 | 4886 |
.B cmd |