Page 1 of 1

OpenVPN caching successful auth-user-pass-verify success forever -- need it to run on each login (as it has a OTP in it)

Posted: Fri Feb 14, 2020 9:56 pm
by wlavallee
Problem with auth-user-pass-verify script not being called when some clients cache their credentials.
The auth-user-pass-verify does a few things:
Checks the Username & Password
Strips a YubiCode off the end of the Password and makes sure its valid and belonging to the user
Verifies they are in the correct LDAP group for access.

When some people log in, it called the external script file:
Wed Aug 29 08:34:26 EDT 2018 Authorization succeeded for user1: LDAP Password OK, YubiPrefix Matches, YubiCode Valid, VPN Users member
Wed Aug 29 08:34:26 2018 us=338692 74.72.144.19:41966 TLS: Username/Password authentication succeeded for username 'user1' [CN SET]

But when someone has "saved" their credentials, we see:
Wed Aug 29 14:47:27 2018 us=375885 64.20.12.206:53848 TLS: Username/Password authentication succeeded for username 'user2' [CN SET]

-- the external script is never called.

Interesting conf file snippet:
Server config

auth-gen-token 30
auth-user-pass-verify /etc/openvpn/openvpn-authenticate.sh via-file
script-security 3
client-cert-not-required
username-as-common-name


Code: Select all

OpenVPN 2.4.8 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Nov  1 2019
library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.06
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

Re: OpenVPN caching successful auth-user-pass-verify success forever -- need it to run on each login (as it has a OTP in

Posted: Sat Feb 15, 2020 12:21 am
by TinCanTech
--auth-gen-token works correctly then .?