From: Michael Tremer Date: Wed, 4 May 2022 13:58:18 +0000 (+0100) Subject: openvpn-2fa: Configure fake authentication credentials X-Git-Tag: v2.27-core170~61^2~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a999886759f360f4747084f1c69768a991766df3;p=ipfire-2.x.git openvpn-2fa: Configure fake authentication credentials These configuration option are required to make the client authenticate itself against the server. The server may then accept those credentials without any further ado or ask for a OTP. Signed-off-by: Michael Tremer --- diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 1594580ce3..edf56fca99 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2441,17 +2441,16 @@ else if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) { print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n"; } - if ($confighash{$cgiparams{'KEY'}}[43] eq 'on') { - print CLIENTCONF "auth-nocache\r\n"; - print CLIENTCONF "auth-user-pass credentials\r\n"; - print CLIENTCONF "static-challenge \"One Time Password (OTP): \" 1\r\n"; - - open(CLIENTCREDS, ">$tempdir/credentials") or die "Unable to open tempfile: $!"; - print CLIENTCREDS "user\r\n"; - print CLIENTCREDS "password"; - close(CLIENTCREDS); - $zip->addFile( "$tempdir/credentials", "credentials") or die "Can't add file credentials\n"; - } + + # Disable storing any credentials in memory + print CLIENTCONF "auth-nocache\r\n"; + + # Set a fake user name for authentication + print CLIENTCONF "auth-token-user USER\r\n"; + print CLIENTCONF "auth-token TOTP\r\n"; + + # If the server is asking for TOTP this needs to happen interactively + print CLIENTCONF "auth-retry interact\r\n"; if ($include_certs) { print CLIENTCONF "\r\n";