Added --management-forget-disconnect option -- forget

passwords when management session disconnects (Alon Bar-Lev).


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@2652 e7ae566f-a301-0410-adde-c780ea21d3b5

init.c

@@ -2469,6 +2469,7 @@ open_management (struct context *c)
 			       c->options.management_state_buffer_size,
 			       c->options.management_hold,
 			       c->options.management_signal,
+			       c->options.management_forget_disconnect,
 			       c->options.management_client,
 			       c->options.management_write_peer_info_file,
 			       c->options.remap_sigusr1))

manage.c

@@ -1080,6 +1080,9 @@ man_reset_client_socket (struct management *man, const bool exiting)
     }
   if (!exiting)
     {
+      if (man->settings.management_forget_disconnect)
+	 ssl_purge_auth ();
+
       if (man->settings.signal_on_disconnect) {
       	  int mysig = man_mod_signal (man, SIGUSR1);
 	  if (mysig >= 0)
@@ -1333,6 +1336,7 @@ man_settings_init (struct man_settings *ms,
 		   const int state_buffer_size,
 		   const bool hold,
 		   const bool signal_on_disconnect,
+		   const bool management_forget_disconnect,
 		   const bool connect_as_client,
 		   const char *write_peer_info_file,
 		   const int remap_sigusr1)
@@ -1370,6 +1374,12 @@ man_settings_init (struct man_settings *ms,
        */
       ms->signal_on_disconnect = signal_on_disconnect;
 
+      /*
+       * Should OpenVPN forget passwords when managmenet
+       * session disconnects?
+       */
+      ms->management_forget_disconnect = management_forget_disconnect;
+
       /*
        * Should OpenVPN connect to management interface as a client
        * rather than a server?
@@ -1513,6 +1523,7 @@ management_open (struct management *man,
 		 const int state_buffer_size,
 		 const bool hold,
 		 const bool signal_on_disconnect,
+		 const bool management_forget_disconnect,
 		 const bool connect_as_client,
 		 const char *write_peer_info_file,
 		 const int remap_sigusr1)
@@ -1534,6 +1545,7 @@ management_open (struct management *man,
 		     state_buffer_size,
 		     hold,
 		     signal_on_disconnect,
+		     management_forget_disconnect,
 		     connect_as_client,
 		     write_peer_info_file,
 		     remap_sigusr1);

manage.h

@@ -206,6 +206,7 @@ struct man_settings {
   bool server;
   bool hold;
   bool signal_on_disconnect;
+  bool management_forget_disconnect;
   bool connect_as_client;
   char *write_peer_info_file;
 
@@ -283,6 +284,7 @@ bool management_open (struct management *man,
 		      const int state_buffer_size,
 		      const bool hold,
 		      const bool signal_on_disconnect,
+		      const bool management_forget_disconnect,
 		      const bool connect_as_client,
 		      const char *write_peer_info_file,
 		      const int remap_sigusr1);

openvpn.8

@@ -179,6 +179,7 @@ openvpn \- secure IP tunnel daemon.
 [\ \fB\-\-log\fR\ \fIfile\fR\ ]
 [\ \fB\-\-suppress-timestamps\fR\ ]
 [\ \fB\-\-lport\fR\ \fIport\fR\ ]
+[\ \fB\-\-management\-forget\-disconnect\fR\ ]
 [\ \fB\-\-management\-hold\fR\ ]
 [\ \fB\-\-management\-log\-cache\fR\ \fIn\fR\ ]
 [\ \fB\-\-management\-signal\fR\ ]
@@ -2325,6 +2326,15 @@ for inputs which ordinarily would have been queried from the
 console.
 .\"*********************************************************
 .TP
+.B --management-forget-disconnect
+Make OpenVPN forget passwords when management session
+disconnects.
+
+This directive does not affect the
+.B --http-proxy
+username/password.  It is always cached.
+.\"*********************************************************
+.TP
 .B --management-hold
 Start OpenVPN in a hibernating state, until a client
 of the management interface explicitly starts it

options.c

@@ -318,6 +318,8 @@ static const char usage_message[] =
   "--management-hold : Start " PACKAGE_NAME " in a hibernating state, until a client\n"
   "                    of the management interface explicitly starts it.\n"
   "--management-signal : Issue SIGUSR1 when management disconnect event occurs.\n"
+  "--management-forget-disconnect : Forget passwords when management disconnect\n"
+  "                                 event occurs.\n"
   "--management-log-cache n : Cache n lines of log file history for usage\n"
   "                  by the management channel.\n"
 #endif
@@ -1202,6 +1204,7 @@ show_settings (const struct options *o)
   SHOW_BOOL (management_hold);
   SHOW_BOOL (management_client);
   SHOW_BOOL (management_signal);
+  SHOW_BOOL (management_forget_disconnect);
   SHOW_STR (management_write_peer_info_file);
 #endif
 #ifdef ENABLE_PLUGIN
@@ -1527,7 +1530,8 @@ options_postprocess (struct options *options, bool first_time)
 #ifdef ENABLE_MANAGEMENT
   if (!options->management_addr &&
       (options->management_query_passwords || options->management_hold || options->management_signal
-       || options->management_client || options->management_write_peer_info_file
+       || options->management_forget_disconnect || options->management_client
+       || options->management_write_peer_info_file
        || options->management_log_history_cache != defaults.management_log_history_cache))
     msg (M_USAGE, "--management is not specified, however one or more options which modify the behavior of --management were specified");
 #endif
@@ -3152,6 +3156,11 @@ add_option (struct options *options,
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->management_signal = true;
     }
+  else if (streq (p[0], "management-forget-disconnect"))
+    {
+      VERIFY_PERMISSION (OPT_P_GENERAL);
+      options->management_forget_disconnect = true;
+    }
   else if (streq (p[0], "management-client"))
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);

options.h

@@ -284,6 +284,7 @@ struct options
   bool management_query_passwords;
   bool management_hold;
   bool management_signal;
+  bool management_forget_disconnect;
   bool management_client;
   const char *management_write_peer_info_file;
 #endif