From 6834749d223458d5ee95302732227bea0df62d60 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 4 May 2022 14:49:32 +0100 Subject: [PATCH] openvpn-2fa: Drop the previous authentication handler This has been replaced by the newer authenticator Signed-off-by: Michael Tremer --- config/ovpn/otp-verify | 106 -------------------------------------- html/cgi-bin/ovpnmain.cgi | 1 - lfs/openvpn | 3 -- 3 files changed, 110 deletions(-) delete mode 100644 config/ovpn/otp-verify diff --git a/config/ovpn/otp-verify b/config/ovpn/otp-verify deleted file mode 100644 index 80a1a1a044..0000000000 --- a/config/ovpn/otp-verify +++ /dev/null @@ -1,106 +0,0 @@ -#!/usr/bin/perl -############################################################################ -# # -# This file is part of the IPFire Firewall. # -# # -# IPFire is free software; you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation; either version 2 of the License, or # -# (at your option) any later version. # -# # -# IPFire is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with IPFire; if not, write to the Free Software # -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -# # -# Copyright (C) 2022 IPFire Team . # -# # -############################################################################ - -use strict; -use warnings; - -use MIME::Base64; - -require '/var/ipfire/general-functions.pl'; - -my $cn; -my $prefix; -my $password; -my $otp; -my @valid_otps; - -#&General::log("otp-verify DEBUG: ENV:common_name: $ENV{'common_name'}"); - -# line 1: -# line 2: e.g.: SCRV1:cGFzc3dvcmQ=:ODg2MTM2 -while(<>) { - #&General::log("otp-verify DEBUG: line: $_"); - if ($_ =~ /^(?!SCRV[[:digit:]]).+/) { - chomp; - $cn = $_; - #$cn =~ s/\s*$//g; - } - if ($_ =~ /^SCRV[[:digit:]]:.+/) { - ($prefix, $password, $otp) = split /:/; - $password = decode_base64($password); - $otp = decode_base64($otp); - } -} - -if ($cn == "") { - #&General::log("otp-verify DEBUG: no credentials provided by client, setting CN from ENV."); - $cn = $ENV{'common_name'}; -} - -#&General::log("otp-verify DEBUG: CN: \"$cn\"\n"); -#&General::log("otp-verify DEBUG: PW: \"$password\"\n"); -#&General::log("otp-verify DEBUG: OTP: \"$otp\"\n"); -#&General::log("otp-verify DEBUG: ----\n"); - -my %confighash = (); -if (-f "${General::swroot}/ovpn/ovpnconfig") { - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - foreach my $key (keys %confighash){ - if ($cn eq $confighash{$key}[2]) { - # Exit successfully for non-roadwarrior connections. - exit 0 unless ($confighash{$key}[3] eq "host"); - - # Exit successfully for disabled otp connections. - exit 0 unless (defined $confighash{$key}[43] and $confighash{$key}[43] eq "on"); - - # Exit with failure if required otp config is missing. - exit 1 if (not defined $confighash{$key}[42]); - exit 1 if (not defined $confighash{$key}[44]); - - #&General::log("otp-verify DEBUG: connection key: $key\n"); - #&General::log("otp-verify DEBUG: connection type: $confighash{$key}[3]\n"); - #&General::log("otp-verify DEBUG: CN: $confighash{$key}[2]\n"); - #&General::log("otp-verify DEBUG: otp Type: $confighash{$key}[42]\n"); - #&General::log("otp-verify DEBUG: otp State: $confighash{$key}[43]\n"); - #&General::log("otp-verify DEBUG: otp Secret: $confighash{$key}[44]\n"); - - # Get valid OTPs. - my @valid_otps = &General::system_output("/usr/bin/oathtool", "--totp", "-w", "3", "$confighash{$key}[44]"); - foreach (@valid_otps) { - # Exit successfully if OTP is correct. - exit 0 if ($otp == $_) - } - - # Exit with failure if no matching OTP was found. - exit 1; - } - } -} else { - # Return an error if ovpnconfig could not be found. - exit 1; -} - -# Exit successfully if no auth-user-pass data received. -exit 0; - -# vim: ts=3 sts=3 sw=3 et nu list diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 78b92a1513..9514c06ec8 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -376,7 +376,6 @@ sub writeserverconf { } print CONF "tls-verify /usr/lib/openvpn/verify\n"; print CONF "crl-verify /var/ipfire/ovpn/crls/cacrl.pem\n"; - print CONF "auth-user-pass-verify \"/usr/lib/openvpn/otp-verify\" via-file\n"; print CONF "auth-user-pass-optional\n"; print CONF "reneg-sec 86400\n"; print CONF "user nobody\n"; diff --git a/lfs/openvpn b/lfs/openvpn index 2c45138101..8d6ba07ed9 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -96,9 +96,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) mv -v /var/ipfire/ovpn/verify /usr/lib/openvpn/verify chown root:root /usr/lib/openvpn/verify chmod 755 /usr/lib/openvpn/verify - mv -v /var/ipfire/ovpn/otp-verify /usr/lib/openvpn/otp-verify - chown root:root /usr/lib/openvpn/otp-verify - chmod 755 /usr/lib/openvpn/otp-verify # Add crl updater mv -v /var/ipfire/ovpn/openvpn-crl-updater /etc/fcron.daily chown root:root /etc/fcron.daily/openvpn-crl-updater -- 2.39.5