Fix OpenVPN querying user/password if auth-token with user expires

The problematic behaviour happens when starting a profile without auth-user-pass and then connecting to a server that pushes auth-token. When the auth token expires OpenVPN asks for auth User and password again (but it shouldn't). The problem is that the auth_user_pass_setup sets auth_user_pass_enabled = true; This function is called from two places. In ssl.c it is only called with an auth-token present or that variable already set. The other one is init_query_passwords. Move setting auth_user_pass_enabled to the second place to ensure it is only set if we really want passwords. Patch v2: Remove unrelated code change Patch v3: Rebase to master Patch v4: Rebase to master Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Acked-by: Heiko Hund <heiko@ist.eigentlich.net> Message-Id: <20221009130805.1556517-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg25367.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2026-06-09 00:42:51 -04:00 · 2022-10-09 15:08:05 +02:00 · 2022-10-09 15:08:05 +02:00 · 7d291e10bc
commit 7d291e10bc
parent 39619b7fab
3 changed files with 10 additions and 1 deletions
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@ -595,6 +595,7 @@ init_query_passwords(const struct context *c)
    /* Auth user/pass input */
    if (c->options.auth_user_pass_file)
    {
+        enable_auth_user_pass();
 #ifdef ENABLE_MANAGEMENT
        auth_user_pass_setup(c->options.auth_user_pass_file,
                             c->options.auth_user_pass_file_inline,
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@ -394,6 +394,12 @@ static struct user_pass auth_token;     /* GLOBAL */
 static char *auth_challenge; /* GLOBAL */
 #endif

+void
+enable_auth_user_pass()
+{
+    auth_user_pass_enabled = true;
+}
+
 void
 auth_user_pass_setup(const char *auth_file, bool is_inline,
                     const struct static_challenge_info *sci)
@ -405,7 +411,6 @@ auth_user_pass_setup(const char *auth_file, bool is_inline,
        flags |= GET_USER_PASS_INLINE_CREDS;
    }

-    auth_user_pass_enabled = true;
    if (!auth_user_pass.defined && !auth_token.defined)
    {
 #ifdef ENABLE_MANAGEMENT
--- a/src/openvpn/ssl.h
+++ b/src/openvpn/ssl.h
@ -371,6 +371,9 @@ void tls_post_encrypt(struct tls_multi *multi, struct buffer *buf);
 */
 void pem_password_setup(const char *auth_file);

+/* Enables the use of user/password authentication */
+void enable_auth_user_pass();
+
 /*
 * Setup authentication username and password. If auth_file is given, use the
 * credentials stored in the file, however, if is_inline is true then auth_file