Dynamic challenge/response protocol

fac / auth-script-openvpn

OpenVPN plugin to auth connections using non-blocking external script

Apache License 2.0

86 stars 39 forks source link

Dynamic challenge/response protocol #13

Closed cmclaughlin closed 5 months ago

cmclaughlin commented 5 years ago

Just getting started with this and it's great... thank you.

While I'm happy that my VPN will be more secure... I'm expecting that MFA every time I open and close my laptop will be a hassle. I'd like to add some logic in the auth script to accept the password and not prompt for MFA if there have been recent auth success for a given time period. But if my client is configured for "static-challenge" then it will prompt every time.

Can the plugin support the dynamic challenge/response protocol?

pdemonaco commented 5 years ago

In principal you could probably do something like that, but I wouldn't do it within the plugin code. This is really just a simple wrapper that passes state to another external script. It doesn't have any deeper access to VPN logs or history than any other external program.

I'd suggest you place the logic for the functionality you're looking for in the script or program which is called by this plugin. All this thing cares about is spawning it's child and reading state from the prearranged temp file.

Keep in mind that what you describe is explicitly opening a hole in the 2-factor authentication. Some other attacker could slip in without 2-factor as long as they timed their new connection correctly.

cmclaughlin commented 5 years ago

Oh, I thought the plugin code would need to be updated to handle the dynamic challenge/response protocol. I found the docs here:

https://openvpn.net/community-resources/management-interface/

I'm thinking the external script would need another option for the control file.... perhaps:

To challenge response, write a CRV1:::: style line
To allow authentication, write 1 to the file
To block authentication, write 0 to the file

If the plugin code encounters the CRV1 line, it would return that to the client. Then the client would send something like this back to the server, which would again need to be passed to the script:

Username: xxx
Password: CRV1::::

But perhaps this is a bad idea... the script would probably need to maintain some state or history between the first and second invocation.

cmclaughlin commented 5 years ago

Actually, I suppose it wouldn't need to maintain state... each round would be completed seperately. It would be up to the script author to say, implement password auth on the first round and then challenge response and on then on the second round do password auth again and check MFA, etc.

denity commented 4 years ago

Is this issue fixed or not? I'm looking for the same solution for dynamic challenge.

jkroepke commented 4 years ago

I'm still looking this feature. OTP with Azure AD generates a Token and I have to enter the token on a web page. Then I cloud login.

It's called device code flow. https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-authentication-flows#device-code

Since MS would generated the Token, I have to send the token to the user. I could do this via dynamic challenge.

@cmclaughlin Do you know auth-token and gen-auth-token in OpenVPN, maybe it a solution for you.