mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
Some changes to GET_USER_PASS_NEED_OK flag to
get_user_pass. (1) Allow an additional longer prompt string to be passed to the management interface client, in addition to the request type string. (2) Allow the management interface client to return a string, usually "ok" or "cancel" as the third argument to "needok" command. (3) Renamed "ok" command in management interface to "needok". (4) Edited management-notes.txt to reflect new needok feature. (5) See init.c:125 for new code example. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@694 e7ae566f-a301-0410-adde-c780ea21d3b5
This commit is contained in:
parent
ef7fb89057
commit
dd1047f521
14
init.c
14
init.c
@ -122,6 +122,20 @@ context_init_1 (struct context *c)
|
||||
}
|
||||
#endif
|
||||
|
||||
#if 0 /* JYFIXME -- test get_user_pass with GET_USER_PASS_NEED_OK flag */
|
||||
{
|
||||
/*
|
||||
* In the management interface, you can okay the request by entering "needok token-insertion-request ok"
|
||||
*/
|
||||
struct user_pass up;
|
||||
CLEAR (up);
|
||||
strcpy (up.username, "Please insert your cryptographic token"); /* put the high-level message in up.username */
|
||||
get_user_pass (&up, NULL, "token-insertion-request", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_NEED_OK);
|
||||
msg (M_INFO, "RET:%s", up.password); /* will return the third argument to management interface
|
||||
'needok' command, usually 'ok' or 'cancel'. */
|
||||
}
|
||||
#endif
|
||||
|
||||
#if P2MP
|
||||
/* Auth user/pass input */
|
||||
if (c->options.auth_user_pass_file)
|
||||
|
16
manage.c
16
manage.c
@ -74,8 +74,9 @@ man_help ()
|
||||
msg (M_CLIENT, "log [on|off] [N|all] : Turn on/off realtime log display");
|
||||
msg (M_CLIENT, " + show last N lines or 'all' for entire history.");
|
||||
msg (M_CLIENT, "mute [n] : Set log mute level to n, or show level if n is absent.");
|
||||
msg (M_CLIENT, "needok type action : Enter confirmation for NEED-OK request of 'type',");
|
||||
msg (M_CLIENT, " where action = 'ok' or 'cancel'.");
|
||||
msg (M_CLIENT, "net : (Windows only) Show network info and routing table.");
|
||||
msg (M_CLIENT, "ok type : Enter confirmation for NEED-OK request.");
|
||||
msg (M_CLIENT, "password type p : Enter password p for a queried OpenVPN password.");
|
||||
msg (M_CLIENT, "signal s : Send signal s to daemon,");
|
||||
msg (M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2.");
|
||||
@ -527,10 +528,10 @@ man_query_password (struct management *man, const char *type, const char *string
|
||||
}
|
||||
|
||||
static void
|
||||
man_query_need_ok (struct management *man, const char *type)
|
||||
man_query_need_ok (struct management *man, const char *type, const char *action)
|
||||
{
|
||||
const bool needed = ((man->connection.up_query_mode == UP_QUERY_NEED_OK) && man->connection.up_query_type);
|
||||
man_query_user_pass (man, type, "ok", needed, "ok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
|
||||
man_query_user_pass (man, type, action, needed, "needok-confirmation", man->connection.up_query.password, USER_PASS_LEN);
|
||||
}
|
||||
|
||||
static void
|
||||
@ -721,10 +722,10 @@ man_dispatch_command (struct management *man, struct status_output *so, const ch
|
||||
if (man_need (man, p, 2, 0))
|
||||
man_query_password (man, p[1], p[2]);
|
||||
}
|
||||
else if (streq (p[0], "ok"))
|
||||
else if (streq (p[0], "needok"))
|
||||
{
|
||||
if (man_need (man, p, 1, 0))
|
||||
man_query_need_ok (man, p[1]);
|
||||
if (man_need (man, p, 2, 0))
|
||||
man_query_need_ok (man, p[1], p[2]);
|
||||
}
|
||||
else if (streq (p[0], "net"))
|
||||
{
|
||||
@ -1789,6 +1790,9 @@ management_query_user_pass (struct management *man,
|
||||
type,
|
||||
alert_type);
|
||||
|
||||
if (flags & GET_USER_PASS_NEED_OK)
|
||||
buf_printf (&alert_msg, " MSG:%s", up->username);
|
||||
|
||||
man_wait_for_client_connection (man, &signal_received, 0, MWCC_PASSWORD_WAIT);
|
||||
if (signal_received)
|
||||
ret = false;
|
||||
|
@ -370,6 +370,28 @@ Command examples:
|
||||
auth-retry interact -- Don't exit when bad username/passwords are entered.
|
||||
Query for new input and retry.
|
||||
|
||||
COMMAND -- needok (OpenVPN 2.1 or higher)
|
||||
--------------------------------------
|
||||
|
||||
Confirm a ">NEED-OK" real-time notification, normally used by
|
||||
OpenVPN to block while waiting for a specific user action.
|
||||
|
||||
Example:
|
||||
|
||||
OpenVPN needs the user to insert a cryptographic token,
|
||||
so it sends a real-time notification:
|
||||
|
||||
>NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert your cryptographic token
|
||||
|
||||
The management client, if it is a GUI, can flash a dialog
|
||||
box containing the text after the "MSG:" marker to the user.
|
||||
When the user acknowledges the dialog box,
|
||||
the management client can issue this command:
|
||||
|
||||
needok token-insertion-request ok
|
||||
or
|
||||
needok token-insertion-request cancel
|
||||
|
||||
OUTPUT FORMAT
|
||||
-------------
|
||||
|
||||
@ -381,7 +403,7 @@ OUTPUT FORMAT
|
||||
|
||||
(3) Real-time messages will be in the form ">[source]:[text]",
|
||||
where source is "ECHO", "FATAL", "HOLD", "INFO", "LOG",
|
||||
"PASSWORD", or "STATE".
|
||||
"NEED-OK", "PASSWORD", or "STATE".
|
||||
|
||||
REAL-TIME MESSAGE FORMAT
|
||||
------------------------
|
||||
@ -408,6 +430,10 @@ INFO -- Informational messages such as the welcome message.
|
||||
|
||||
LOG -- Log message output as controlled by the "log" command.
|
||||
|
||||
NEED-OK -- OpenVPN needs the end user to do something, such as
|
||||
insert a cryptographic token. The "needok" command can
|
||||
be used to tell OpenVPN to continue.
|
||||
|
||||
PASSWORD -- Used to tell the management client that OpenVPN
|
||||
needs a password, also to indicate password
|
||||
verification failure.
|
||||
@ -418,16 +444,16 @@ STATE -- Shows the current OpenVPN state, as controlled
|
||||
Command Parsing
|
||||
---------------
|
||||
|
||||
OpenVPN uses the same command line lexical analyzer as is used
|
||||
by the OpenVPN config file parser.
|
||||
The management interface uses the same command line lexical analyzer
|
||||
as is used by the OpenVPN config file parser.
|
||||
|
||||
Whitespace is a parameter separator.
|
||||
|
||||
Double quotation characters ("") can be used to enclose
|
||||
parameters containing whitespace
|
||||
parameters containing whitespace.
|
||||
|
||||
Backslash-based shell escaping is performed, using the following
|
||||
mappings
|
||||
mappings:
|
||||
|
||||
\\ Maps to a single backslash character (\).
|
||||
\" Pass a literal doublequote character ("), don't
|
||||
|
48
misc.c
48
misc.c
@ -1177,39 +1177,43 @@ get_user_pass (struct user_pass *up,
|
||||
}
|
||||
else
|
||||
#endif
|
||||
/*
|
||||
* Get NEED_OK confirmation from the console
|
||||
*/
|
||||
if (flags & GET_USER_PASS_NEED_OK)
|
||||
{
|
||||
struct buffer user_prompt = alloc_buf_gc (128, &gc);
|
||||
|
||||
buf_printf (&user_prompt, "NEED-OK|%s|%s:", prefix, up->username);
|
||||
|
||||
if (!get_console_input (BSTR (&user_prompt), true, up->password, USER_PASS_LEN))
|
||||
msg (M_FATAL, "ERROR: could not read %s ok-confirmation from stdin", prefix);
|
||||
|
||||
if (!strlen (up->password))
|
||||
strcpy (up->password, "ok");
|
||||
}
|
||||
|
||||
/*
|
||||
* Get username/password from standard input?
|
||||
*/
|
||||
if (from_stdin || (flags & GET_USER_PASS_NEED_OK))
|
||||
else if (from_stdin)
|
||||
{
|
||||
struct buffer user_prompt = alloc_buf_gc (128, &gc);
|
||||
struct buffer pass_prompt = alloc_buf_gc (128, &gc);
|
||||
|
||||
if (flags & GET_USER_PASS_NEED_OK)
|
||||
{
|
||||
buf_printf (&pass_prompt, "NEED-OK:%s:", prefix);
|
||||
}
|
||||
else
|
||||
{
|
||||
buf_printf (&user_prompt, "Enter %s Username:", prefix);
|
||||
buf_printf (&pass_prompt, "Enter %s Password:", prefix);
|
||||
buf_printf (&user_prompt, "Enter %s Username:", prefix);
|
||||
buf_printf (&pass_prompt, "Enter %s Password:", prefix);
|
||||
|
||||
if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
|
||||
{
|
||||
if (!get_console_input (BSTR (&user_prompt), true, up->username, USER_PASS_LEN))
|
||||
msg (M_FATAL, "ERROR: could not read %s username from stdin", prefix);
|
||||
if (strlen (up->username) == 0)
|
||||
msg (M_FATAL, "ERROR: %s username is empty", prefix);
|
||||
}
|
||||
if (!(flags & GET_USER_PASS_PASSWORD_ONLY))
|
||||
{
|
||||
if (!get_console_input (BSTR (&user_prompt), true, up->username, USER_PASS_LEN))
|
||||
msg (M_FATAL, "ERROR: could not read %s username from stdin", prefix);
|
||||
if (strlen (up->username) == 0)
|
||||
msg (M_FATAL, "ERROR: %s username is empty", prefix);
|
||||
}
|
||||
|
||||
if (!get_console_input (BSTR (&pass_prompt), false, up->password, USER_PASS_LEN))
|
||||
msg (M_FATAL, "ERROR: could not not read %s %s from stdin",
|
||||
prefix,
|
||||
(flags & GET_USER_PASS_NEED_OK) ? "ok-confirmation" : "password");
|
||||
|
||||
if (flags & GET_USER_PASS_NEED_OK)
|
||||
strcpy (up->password, "ok");
|
||||
msg (M_FATAL, "ERROR: could not not read %s password from stdin", prefix);
|
||||
}
|
||||
else
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user