mirror/openvpn
0
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2024-09-20 03:52:28 +02:00
Code

Some changes to GET_USER_PASS_NEED_OK flag to

Browse Source 
get_user_pass.
(1) Allow an additional longer prompt string
    to be passed to the management interface
    client, in addition to the request type
    string.
(2) Allow the management interface client to
    return a string, usually "ok" or "cancel"
    as the third argument to "needok" command.
(3) Renamed "ok" command in management interface
    to "needok".
(4) Edited management-notes.txt to reflect new
    needok feature.
(5) See init.c:125 for new code example.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@694 e7ae566f-a301-0410-adde-c780ea21d3b5
This commit is contained in:
james 2005-10-20 10:16:41 +00:00
parent ef7fb89057
commit dd1047f521
4 changed files with 81 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
init.c
View File

@ -122,6 +122,20 @@ context_init_1 (struct context *c)
}
#endif
#if 0 /* JYFIXME -- test get_user_pass with GET_USER_PASS_NEED_OK flag */
{
/*
* In the management interface, you can okay the request by entering "needok token-insertion-request ok"
*/
struct user_pass up;
CLEAR (up);
strcpy (up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
get_user_pass (&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
msg (M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
'needok' command, usually 'ok' or 'cancel'. */
}
#endif
#if P2MP
/* Auth user/pass input */
if (c->options.auth_user_pass_file)

16
manage.c
View File

@ -74,8 +74,9 @@ man_help ()
msg (M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display");
msg (M_CLIENT, " + show last N lines or 'all' for entire history.");
msg (M_CLIENT, "mute [n] : Set log mute level to n, or show level if n is absent.");
msg (M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',");
msg (M_CLIENT, " where action = 'ok' or 'cancel'.");
msg (M_CLIENT, "net : (Windows only) Show network info and routing table.");
msg (M_CLIENT, "ok type : Enter confirmation for NEED-OK request.");
msg (M_CLIENT, "password type p : Enter password p for a queried OpenVPN password.");
msg (M_CLIENT, "signal s : Send signal s to daemon,");
msg (M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
@ -527,10 +528,10 @@ man_query_password (struct management *man, const char *type, const char *string
}
static void
man_query_need_ok (struct management *man, const char *type)
man_query_need_ok (struct management *man, const char *type, const char *action)
{
const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type);
man_query_user_pass (man, type, "ok", needed, "ok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
man_query_user_pass (man, type, action, needed, "needok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
}
static void
@ -721,10 +722,10 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch
if (man_need (man, p, 2, 0))
man_query_password (man, p[1], p[2]);
}
else if (streq (p[0], "ok"))
else if (streq (p[0], "needok"))
{
if (man_need (man, p, 1, 0))
man_query_need_ok (man, p[1]);
if (man_need (man, p, 2, 0))
man_query_need_ok (man, p[1], p[2]);
}
else if (streq (p[0], "net"))
{
@ -1789,6 +1790,9 @@ management_query_user_pass (struct management *man,
type,
alert_type);
if (flags & GET_USER_PASS_NEED_OK)
buf_printf (&alert_msg, " MSG:%s", up->username);
man_wait_for_client_connection (man, &signal_received, 0, MWCC_PASSWORD_WAIT);
if (signal_received)
ret = false;

36
management/management-notes.txt
View File

@ -370,6 +370,28 @@ Command examples:
auth-retry interact -- Don't exit when bad username/passwords are entered.
Query for new input and retry.
COMMAND -- needok (OpenVPN 2.1 or higher)
--------------------------------------
Confirm a ">NEED-OK" real-time notification, normally used by
OpenVPN to block while waiting for a specific user action.
Example:
OpenVPN needs the user to insert a cryptographic token,
so it sends a real-time notification:
>NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert your cryptographic token
The management client, if it is a GUI, can flash a dialog
box containing the text after the "MSG:" marker to the user.
When the user acknowledges the dialog box,
the management client can issue this command:
needok token-insertion-request ok
or
needok token-insertion-request cancel
OUTPUT FORMAT
-------------
@ -381,7 +403,7 @@ OUTPUT FORMAT
(3) Real-time messages will be in the form ">[source]:[text]",
where source is "ECHO", "FATAL", "HOLD", "INFO", "LOG",
"PASSWORD", or "STATE".
"NEED-OK", "PASSWORD", or "STATE".
REAL-TIME MESSAGE FORMAT
------------------------
@ -408,6 +430,10 @@ INFO -- Informational messages such as the welcome message.
LOG -- Log message output as controlled by the "log" command.
NEED-OK -- OpenVPN needs the end user to do something, such as
insert a cryptographic token. The "needok" command can
be used to tell OpenVPN to continue.
PASSWORD -- Used to tell the management client that OpenVPN
needs a password, also to indicate password
verification failure.
@ -418,16 +444,16 @@ STATE -- Shows the current OpenVPN state, as controlled
Command Parsing
---------------
OpenVPN uses the same command line lexical analyzer as is used
by the OpenVPN config file parser.
The management interface uses the same command line lexical analyzer
as is used by the OpenVPN config file parser.
Whitespace is a parameter separator.
Double quotation characters ("") can be used to enclose
parameters containing whitespace
parameters containing whitespace.
Backslash-based shell escaping is performed, using the following
mappings
mappings:
\\ Maps to a single backslash character (\).
\" Pass a literal doublequote character ("), don't

48
misc.c
View File

@ -1177,39 +1177,43 @@ get_user_pass (struct user_pass *up,
}
else
#endif
/*
* Get NEED_OK confirmation from the console
*/
if (flags & GET_USER_PASS_NEED_OK)
{
struct buffer user_prompt = alloc_buf_gc (128, &gc);
buf_printf (&user_prompt, "NEED-OK|%s|%s:", prefix, up->username);
if (!get_console_input (BSTR (&user_prompt), true, up->password, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix);
if (!strlen (up->password))
strcpy (up->password, "ok");
}
/*
* Get username/password from standard input?
*/
if (from_stdin || (flags & GET_USER_PASS_NEED_OK))
else if (from_stdin)
{
struct buffer user_prompt = alloc_buf_gc (128, &gc);
struct buffer pass_prompt = alloc_buf_gc (128, &gc);
if (flags & GET_USER_PASS_NEED_OK)
{
buf_printf (&pass_prompt, "NEED-OK:%s:", prefix);
}
else
{
buf_printf (&user_prompt, "Enter %s Username:", prefix);
buf_printf (&pass_prompt, "Enter %s Password:", prefix);
buf_printf (&user_prompt, "Enter %s Username:", prefix);
buf_printf (&pass_prompt, "Enter %s Password:", prefix);
if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
{
if (!get_console_input (BSTR (&user_prompt), true, up->username, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not read %s username from stdin", prefix);
if (strlen (up->username) == 0)
msg (M_FATAL, "ERROR: %s username is empty", prefix);
}
if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
{
if (!get_console_input (BSTR (&user_prompt), true, up->username, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not read %s username from stdin", prefix);
if (strlen (up->username) == 0)
msg (M_FATAL, "ERROR: %s username is empty", prefix);
}
if (!get_console_input (BSTR (&pass_prompt), false, up->password, USER_PASS_LEN))
msg (M_FATAL, "ERROR: could not not read %s %s from stdin",
prefix,
(flags & GET_USER_PASS_NEED_OK) ? "ok-confirmation" : "password");
if (flags & GET_USER_PASS_NEED_OK)
strcpy (up->password, "ok");
msg (M_FATAL, "ERROR: could not not read %s password from stdin", prefix);
}
else
{