1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
From b89e48b015e581a4a0f5c306e2ab20da34c862ea Mon Sep 17 00:00:00 2001
From: Selva Nair <selva.nair@gmail.com>
Date: Tue, 24 Jul 2018 22:34:53 -0400
Subject: [PATCH] Parse static challenge response in auth-pam plugin
If static challenge is in use, the password passed to the plugin by openvpn
is of the form "SCRV1:base64-pass:base64-response". Parse this string to
separate it into password and response and use them to respond to queries
in the pam conversation function.
On the plugin parameters line the substitution keyword for the static
challenge response is "OTP". For example, for pam config named "test" that
prompts for "user", "password" and "pin", use
plugin openvpn-auth-pam.so "test user USERNAME password PASSWORD pin OTP"
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1532486093-24793-1-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17307.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 7369d01bf360bcfa02f26c05b86dde5496d120f6)
---
src/plugins/auth-pam/README.auth-pam | 15 ++++--
src/plugins/auth-pam/auth-pam.c | 75 +++++++++++++++++++++++++++-
2 files changed, 84 insertions(+), 6 deletions(-)
diff --git a/src/plugins/auth-pam/README.auth-pam b/src/plugins/auth-pam/README.auth-pam
index e12369021..908156542 100644
--- a/src/plugins/auth-pam/README.auth-pam
+++ ./src/plugins/auth-pam/README.auth-pam
@@ -36,19 +36,20 @@ pairs to answer PAM module queries.
For example:
- plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
+ plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP"
tells auth-pam to (a) use the "login" PAM module, (b) answer a
-"login" query with the username given by the OpenVPN client, and
-(c) answer a "password" query with the password given by the
-OpenVPN client. This provides flexibility in dealing with the different
+"login" query with the username given by the OpenVPN client,
+(c) answer a "password" query with the password, and (d) answer a
+"pin" query with the OTP given by the OpenVPN client.
+This provides flexibility in dealing with different
types of query strings which different PAM modules might generate.
For example, suppose you were using a PAM module called
"test" which queried for "name" rather than "login":
plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
-While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
+While "USERNAME" "COMMONNAME" "PASSWORD" and "OTP" are special strings which substitute
to client-supplied values, it is also possible to name literal values
to use as PAM module query responses. For example, suppose that the
login module queried for a third parameter, "domain" which
@@ -61,6 +62,10 @@ the operation of this plugin:
client-cert-not-required
username-as-common-name
+ static-challenge
+
+Use of --static challenege is required to pass a pin (represented by "OTP" in
+parameter substituion) or a second password.
Run OpenVPN with --verb 7 or higher to get debugging output from
this plugin, including the list of queries presented by the
diff --git a/src/plugins/auth-pam/auth-pam.c b/src/plugins/auth-pam/auth-pam.c
index 5ba4dc4cb..1324307f1 100644
--- a/src/plugins/auth-pam/auth-pam.c
+++ ./src/plugins/auth-pam/auth-pam.c
@@ -6,6 +6,7 @@
* packet compression.
*
* Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
+ * Copyright (C) 2016-2018 Selva Nair <selva.nair@gmail.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
@@ -64,6 +65,7 @@
/* Pointers to functions exported from openvpn */
static plugin_secure_memzero_t plugin_secure_memzero = NULL;
+static plugin_base64_decode_t plugin_base64_decode = NULL;
/*
* Plugin state, used by foreground
@@ -87,6 +89,7 @@ struct auth_pam_context
* "USERNAME" -- substitute client-supplied username
* "PASSWORD" -- substitute client-specified password
* "COMMONNAME" -- substitute client certificate common name
+ * "OTP" -- substitute static challenge response if available
*/
#define N_NAME_VALUE 16
@@ -111,6 +114,7 @@ struct user_pass {
char username[128];
char password[128];
char common_name[128];
+ char response[128];
const struct name_value_list *name_value_list;
};
@@ -276,6 +280,66 @@ name_value_match(const char *query, const char *match)
return strncasecmp(match, query, strlen(match)) == 0;
}
+/*
+ * Split and decode up->password in the form SCRV1:base64_pass:base64_response
+ * into pass and response and save in up->password and up->response.
+ * If the password is not in the expected format, input is not changed.
+ */
+static void
+split_scrv1_password(struct user_pass *up)
+{
+ const int skip = strlen("SCRV1:");
+ if (strncmp(up->password, "SCRV1:", skip) != 0)
+ {
+ return;
+ }
+
+ char *tmp = strdup(up->password);
+ if (!tmp)
+ {
+ fprintf(stderr, "AUTH-PAM: out of memory parsing static challenge password\n");
+ goto out;
+ }
+
+ char *pass = tmp + skip;
+ char *resp = strchr(pass, ':');
+ if (!resp) /* string not in SCRV1:xx:yy format */
+ {
+ goto out;
+ }
+ *resp++ = '\0';
+
+ int n = plugin_base64_decode(pass, up->password, sizeof(up->password)-1);
+ if (n > 0)
+ {
+ up->password[n] = '\0';
+ n = plugin_base64_decode(resp, up->response, sizeof(up->response)-1);
+ if (n > 0)
+ {
+ up->response[n] = '\0';
+ if (DEBUG(up->verb))
+ {
+ fprintf(stderr, "AUTH-PAM: BACKGROUND: parsed static challenge password\n");
+ }
+ goto out;
+ }
+ }
+
+ /* decode error: reinstate original value of up->password and return */
+ plugin_secure_memzero(up->password, sizeof(up->password));
+ plugin_secure_memzero(up->response, sizeof(up->response));
+ strcpy(up->password, tmp); /* tmp is guaranteed to fit in up->password */
+
+ fprintf(stderr, "AUTH-PAM: base64 decode error while parsing static challenge password\n");
+
+out:
+ if (tmp)
+ {
+ plugin_secure_memzero(tmp, strlen(tmp));
+ free(tmp);
+ }
+}
+
OPENVPN_EXPORT int
openvpn_plugin_open_v3(const int v3structver,
struct openvpn_plugin_args_open_in const *args,
@@ -316,6 +380,7 @@ openvpn_plugin_open_v3(const int v3structver,
/* Save global pointers to functions exported from openvpn */
plugin_secure_memzero = args->callbacks->plugin_secure_memzero;
+ plugin_base64_decode = args->callbacks->plugin_base64_decode;
/*
* Make sure we have two string arguments: the first is the .so name,
@@ -599,6 +664,10 @@ my_conv(int n, const struct pam_message **msg_array,
{
aresp[i].resp = searchandreplace(match_value, "COMMONNAME", up->common_name);
}
+ else if (strstr(match_value, "OTP"))
+ {
+ aresp[i].resp = searchandreplace(match_value, "OTP", up->response);
+ }
else
{
aresp[i].resp = strdup(match_value);
@@ -787,6 +856,9 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
#endif
}
+ /* If password is of the form SCRV1:base64:base64 split it up */
+ split_scrv1_password(&up);
+
if (pam_auth(service, &up)) /* Succeeded */
{
if (send_control(fd, RESPONSE_VERIFY_SUCCEEDED) == -1)
@@ -818,10 +890,11 @@ pam_server(int fd, const char *service, int verb, const struct name_value_list *
command);
goto done;
}
+ plugin_secure_memzero(up.response, sizeof(up.response));
}
done:
-
plugin_secure_memzero(up.password, sizeof(up.password));
+ plugin_secure_memzero(up.response, sizeof(up.response));
#ifdef USE_PAM_DLOPEN
dlclose_pam();
#endif
|
