From a999886759f360f4747084f1c69768a991766df3 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Wed, 4 May 2022 14:58:18 +0100 Subject: [PATCH] openvpn-2fa: Configure fake authentication credentials These configuration option are required to make the client authenticate itself against the server. The server may then accept those credentials without any further ado or ask for a OTP. Signed-off-by: Michael Tremer --- html/cgi-bin/ovpnmain.cgi | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index 1594580ce3..edf56fca99 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2441,17 +2441,16 @@ else if ($vpnsettings{FRAGMENT} ne '' && $vpnsettings{DPROTOCOL} ne 'tcp' ) { print CLIENTCONF "fragment $vpnsettings{'FRAGMENT'}\r\n"; } - if ($confighash{$cgiparams{'KEY'}}[43] eq 'on') { - print CLIENTCONF "auth-nocache\r\n"; - print CLIENTCONF "auth-user-pass credentials\r\n"; - print CLIENTCONF "static-challenge \"One Time Password (OTP): \" 1\r\n"; - - open(CLIENTCREDS, ">$tempdir/credentials") or die "Unable to open tempfile: $!"; - print CLIENTCREDS "user\r\n"; - print CLIENTCREDS "password"; - close(CLIENTCREDS); - $zip->addFile( "$tempdir/credentials", "credentials") or die "Can't add file credentials\n"; - } + + # Disable storing any credentials in memory + print CLIENTCONF "auth-nocache\r\n"; + + # Set a fake user name for authentication + print CLIENTCONF "auth-token-user USER\r\n"; + print CLIENTCONF "auth-token TOTP\r\n"; + + # If the server is asking for TOTP this needs to happen interactively + print CLIENTCONF "auth-retry interact\r\n"; if ($include_certs) { print CLIENTCONF "\r\n"; -- 2.39.5