openvpn-2fa: Configure fake authentication credentials

These configuration option are required to make the client authenticate
itself against the server.

The server may then accept those credentials without any further ado or
ask for a OTP.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 1594580ce3bb6e5a9ff9652ce02819d8ead20fa2..edf56fca9907caac2b525ae248ffd5c28e7ce463 100644 (file)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2441,17 +2441,16 @@ else
     if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) {
        print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n";
     }
-   if ($confighash{$cgiparams{'KEY'}}[43] eq 'on') {
-      print CLIENTCONF "auth-nocache\r\n";
-      print CLIENTCONF "auth-user-pass credentials\r\n";
-      print CLIENTCONF "static-challenge \"One Time Password (OTP): \" 1\r\n";
-
-      open(CLIENTCREDS, ">$tempdir/credentials") or die "Unable to open tempfile: $!";
-      print CLIENTCREDS "user\r\n";
-      print CLIENTCREDS "password";
-      close(CLIENTCREDS);
-      $zip->addFile( "$tempdir/credentials", "credentials")  or die "Can't add file credentials\n";
-   }
+
+    # Disable storing any credentials in memory
+    print CLIENTCONF "auth-nocache\r\n";
+
+    # Set a fake user name for authentication
+    print CLIENTCONF "auth-token-user USER\r\n";
+    print CLIENTCONF "auth-token TOTP\r\n";
+
+    # If the server is asking for TOTP this needs to happen interactively
+    print CLIENTCONF "auth-retry interact\r\n";
 
     if ($include_certs) {
        print CLIENTCONF "\r\n";