passepartoutvpn / passepartout

Your go-to app for VPN and privacy.
https://passepartoutvpn.app
GNU General Public License v3.0
861 stars 129 forks source link

Allow password prompt on each connect? #3

Closed prsquee closed 2 months ago

prsquee commented 6 years ago

Hello, my work VPN doesn't allow certificates or static password, on each connect I must enter the password together with a passcode generated by a 2 factor device. I think this setup is pretty common in an enterprise environment. Is this feature on the roadmap? thanks for making a better openvpn client!

keeshux commented 6 years ago

Interesting. The feature itself wouldn't be a big deal, but the problem is that the VPN can reconnect in any moment while the app is in the background. The app is not notified nor hooked to the reconnection event.

What's your current workaround? I need to know when's a good time to ask for a new password passcode -I assume the password doesn't change. Could it be when you enter such Wi-Fi network?

ghost commented 6 years ago

This is also relevant if you use e.g. TOTP as a second factor, together with client certificate (as first factor). The way this can be solved is using --auth-gen-token on the server:

       --auth-gen-token [lifetime]
              After  successful  user/password  authentication,  the  OpenVPN
              server will with this option generate a  temporary  authentica‐
              tion token and push that to client.  On the following renegoti‐
              ations, the OpenVPN client will pass this token instead of  the
              users  password.   On  the  server  side the server will do the
              token authentication internally and it will NOT  do  any  addi‐
              tional  authentications  against configured external user/pass‐
              word authentication mechanisms.

              The lifetime argument defines how long the generated  token  is
              valid.  The lifetime is defined in seconds.  If lifetime is not
              set or it is set to 0, the token will never expire.

              This feature is useful for environments which is configured  to
              use  One  Time  Passwords  (OTP)  as  part of the user/password
              authentications and  that  authentication  mechanism  does  not
              implement any auth-token support.
prsquee commented 6 years ago

What's your current workaround? I need to know when's a good time to ask for a new password passcode -I assume the password doesn't change. Could it be when you enter such Wi-Fi network?

Well, I don't have a good workaround to be honest. Also I don't have to be always on my work VPN, so if I need to access a specific internal service, I just connect manually with OpenVPN Connect, since I don't have any secret saved, it will prompt me for a password, then I'd use 1Password to fill in everything. After I'm done, I just put the device into sleep and let the connection timeout. OpenVPN won't try to reconnect since it does not have any secret saved.

It's not that much a hassle, specially using a password manager can be helpful. But then again, I'm not always on my work VPN.

For passepartout to be useful in this scenario, it should offer something like "one time connection" or "manual connect", where it asks for password, do not save it, and do not attempt reconnect.

keeshux commented 6 years ago

Perhaps it's viable to omit credentials persistence for that specific VPN profile. IIRC iOS should then ask for credentials upon connection. Does it make sense making this a per profile flag? Something like "Ask credentials" in the Account screen.

prsquee commented 6 years ago

Does it make sense making this a per profile flag? Something like "Ask credentials" in the Account screen.

I think a toggle in the Account screen would work just fine. This way if some user wants to add multiple profiles for different use cases can choose whether to save credential or not.

tarasaint commented 5 years ago

Hi.

For a physically separate OTP device I don’t see any solution other than prompting, as I can’t imagine the company would want to accommodate another method.

All my servers are set up to require TOTP. PAM and the TOTP PAM module are set up such that you can either append the TOTP to the password or respond to a second challenge. This is done to accommodate clients that don’t allow for a second factor programmatically.

For TOTP, from my point of view, having the server generate and provide the OTP defeats the point of having it.

I need more coffee, and my memory of setting this up is vague, particularly forOpenVPN. So don’t take me at my word yet, but ...

There is established open source code for generating standard TOTPs. If a user has access to their secret, adding a field where they can type / paste the secret, storing it in the keychain, and generating and appending the passcode to the base password might not be too difficult.

I say that without having looked at the Passepartout code, though. So there are a lot of assumptions.

I can’t imagine this is a much requested feature and therefore surely not a priority for David, but it is of interest to me. I’ll look at the Ppt code. Maybe I can help implement this. It depends how much work/time it would take.

Thanks for this great app!!

keeshux commented 5 years ago

@tarasaint that is the best approach IMHO. The secret could be an optional field in "Account", under "Username" and "Password". Or even a toggle meaning that the password is actually a secret for generating OTPs. Cosmetics, straightforward either way.

After that, it's about integrating the OTP derivation algorithm into TunnelKit, and providing the library with a new field in OpenVPN.Configuration (e.g. otpSecret: String?). The standard password field would be left empty, whereas the real password would be generated on-the-fly from otpSecret (if present) before connecting. This would be inside OpenVPNSession.

As you pointed out, my backlog has been very dense recently and this is not among my priorities, but the process is quite clear in my mind. Let me know if you need further help to work together on this sooner or later.

keeshux commented 3 years ago

Hello, my work VPN doesn't allow certificates or static password, on each connect I must enter the password together with a passcode generated by a 2 factor device. I think this setup is pretty common in an enterprise environment. Is this feature on the roadmap? thanks for making a better openvpn client!

Long time no see. Question: is your 2-factor device based on a known secret/algorithm?

tarasaint commented 3 years ago

Long time no see. Question: is your 2-factor device based on a known secret/algorithm?

Hi. Sorry for the long delay getting back to you. My 2fa is plain vanilla TOTP. rfc6238

tarasaint commented 3 years ago

The google implementation is Apache license, if that works for you. Google Authenticator (includes ios but not Androd). I'm guessing their code is a fairly solid way to go. The code is in C.

There is also FreeOTP iOS written in swift, but I haven´t looked closely to see if they take the TOTP and HOTP code generation from elsewhere. It is also Apache license.

The reason I link full apps is so you have a reference or even source for you how they implement reading and storing the QR /manual secret. Figured that is more helpful than just the algorithm.

artem-sidorenko commented 3 years ago

When openvpn server is configured to use OTP via PAM (e.g in the combination with FreeIPA and SSSD), following configuration an be used to handle the 2FA prompt properly (allows to store the 1st secret in the keychain but to ask the 2nd factor in the prompt):

server side:

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME First PASSWORD Second OTP"
auth-gen-token 43200 

client side:

static-challenge "Enter 2FA token" 0

full configuration examples:

# openvpn server full configuation
port 443
proto tcp-server
dev tun0

tcp-nodelay

ca [inline]
cert [inline]
key [inline]

# https://community.openvpn.net/openvpn/wiki/Hardening
# from https://github.com/BetterCrypto/Applied-Crypto-Hardening/blob/2536a003e9cda7fee2b55be61b8c7e87086e41ad/src/configuration/VPNs/OpenVPN/client.conf#L116
tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-256-CBC-SHA
cipher AES-256-CBC
auth SHA384
tls-version-min 1.2
tls-cert-profile preferred

remote-cert-tls client
server 192.168.80.0 255.255.254.0
comp-lzo
tls-server
opt-verify

tls-crypt [inline]
dh /etc/openvpn/dh1024.pem

float

# use PAM and avoid certs on the client side
verify-client-cert none
username-as-common-name
# with First and Second we are answering the according questions of pam_sss
# you can see them in the verb 7 log level of OpenVPN
# Client should have 'static-challenge "Enter 2FA token" 0' configured
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME First PASSWORD Second OTP"
auth-gen-token 43200 # 12 hours, use auth token for renegotiations to avoid broken UX with OTP requests every hour

status /var/log/openvpn.status
persist-key
persist-tun
keepalive 60 120
log /var/log/openvpn.log
verb 3
group openvpn
user openvpn

<tls-crypt>
**
</tls-crypt>
<ca>
**
</ca>
<cert>
**
</cert>
<key>
**
</key>
# openvpn client full configuration
remote vpn.example.com 443 tcp-client
nobind 
dev tun
persist-tun 
persist-key 
compress lzo
pull 
auth-user-pass 
tls-client 
ca [inline]
remote-cert-tls server
tls-crypt [inline]
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
auth SHA384
static-challenge "Enter 2FA token" 0               # !!! <----- required for 2FA
verify-x509-name vpn.example.com name
cipher AES-256-CBC

<tls-crypt>
**
</tls-crypt>
<ca>
**
</ca>
lstwn commented 1 year ago

Just wanted to point out that asking for a password on each connection attempt would make the app useful for me, too! A VPN I rely on requires a TOTP appended to the password as the VPN password and an automatic prompt on each connect (or reconnect) would avoid the hassle of changing it in the the account settings each time!

keeshux commented 1 year ago

@lstwn truth is, I started working on this last November, but life + job took over. Hopefully, I can pick this up soon again.

keeshux commented 1 year ago

Hello, my work VPN doesn't allow certificates or static password, on each connect I must enter the password together with a passcode generated by a 2 factor device. I think this setup is pretty common in an enterprise environment. Is this feature on the roadmap? thanks for making a better openvpn client!

Question: do you really mean to authenticate with your password, first, and then a second time with the OTP?

Because I addressed the subject of this issue in #259 (see the video, password prompt is presented on each connect), but I tend to think that you're looking for true 2FA instead.

mlazzarotto commented 1 year ago

Hello, my work VPN doesn't allow certificates or static password, on each connect I must enter the password together with a passcode generated by a 2 factor device. I think this setup is pretty common in an enterprise environment. Is this feature on the roadmap? thanks for making a better openvpn client!

Question: do you really mean to authenticate with your password, first, and then a second time with the OTP?

Because I addressed the subject of this issue in #259 (see the video, password prompt is presented on each connect), but I tend to think that you're looking for true 2FA instead.

Personally, my VPN is setup on OPNsense via OpenVPN plugin. Every time I connect, I have to insert password+totp in the password field all at once. My TOTP is generated by Authy app (same as Google Authenticator)

keeshux commented 1 year ago

TOTP is a different story in that it does not require interactive user input. I'd like to know if manual OTP requires password authentication to fail first.

cynix commented 1 year ago

I have an OpenVPN server that uses Duo 2FA. I can save my username and password in the official client, but when connecting and after it has sent the saved password, it will pop up a prompt asking me to enter my 2FA.

The thing with Duo is, I need to enter the word "push" in this prompt so I can get a push notification from Duo asking me to approve the login. So if implementing a popup is complex, would you be able to implement a feature to automatically answer 2FA requests with "push"? It's actually super annoying that I have to enter this manually in the official client every time I connect, given that it's just a fixed string.

edhar-rybak commented 1 year ago

I am voting for this issue. I also use Duo 2FA and I need to pass prompt when asked for MFA code for OpenVPN. This feature is controlled by static-challenge configuration option

chichi13 commented 1 year ago

Great news to have 2FA integrated in 2.4.0. I'm waiting for this since a long time :D

Any date for the 2.4.0 ?

artem-sidorenko commented 1 year ago

TOTP is a different story in that it does not require interactive user input. I'd like to know if manual OTP requires password authentication to fail first.

@keeshux as far I can see - not, this is usually done via static-challenge flag or by adding the token to the password

keeshux commented 2 months ago

This will be implemented in the next version (3.0.0). Closing!

cynix commented 1 month ago

The interactive auth implantation in 3.0 still doesn’t work for Duo 2FA. It seems this option merely asks the user to input a username/password before attempting to connect. However, no prompt is shown when the server requests me to enter the 2FA code, and more importantly, there’s no option to configure a fixed response to this (ideally it should automatically respond with “push”).

keeshux commented 1 month ago

@cynix I opened #713 for this particular use case.