From: Arne Schwabe <arne@rfc2549.org>
Date: Thu, 26 Mar 2020 17:23:32 +0000 (+0100)
Subject: Document reneweal mechanic of auth-token in manual
X-Git-Tag: v2.5_beta1~141
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b0c94aff299fcec607d6a0194c4cdea8a33dd353;p=thirdparty%2Fopenvpn.git

Document reneweal mechanic of auth-token in manual

Our man page was missing the information that the life time of the
auth-token also depends on the reneg-sec

Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20200326172332.2356-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19620.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/doc/openvpn.8 b/doc/openvpn.8
index f0796e52b..dcc72abe3 100644
--- a/doc/openvpn.8
+++ b/doc/openvpn.8
@@ -3741,6 +3741,15 @@ argument defines how long the generated token is valid.  The
 lifetime is defined in seconds.  If lifetime is not set
 or it is set to 0, the token will never expire.
 
+The token will expire either after the configured lifetime of the token 
+is reached or after not being renewed for more than 2 *
+.B reneg\-sec
+seconds.  Clients will be sent renewed tokens on every
+TLS renogiation to keep the client's token updated.  This is done
+to invalidate a token if a client is disconnected for a sufficently long
+time, while at the same time permitting much longer token lifetimes for 
+active clients.
+
 This feature is useful for environments which is configured
 to use One Time Passwords (OTP) as part of the user/password
 authentications and that authentication mechanism does not