[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: auth-user-pass problem

  • Subject: [Openvpn-users] Re: auth-user-pass problem
  • From: James Yonan <jim@xxxxxxxxx>
  • Date: Thu, 20 Jan 2005 10:39:38 -0700 (MST)

On Thu, 20 Jan 2005, Gonda Laszlo wrote:

> James Yonan wrote:
> > It's not a security hole because you shouldn't be able to actually forward
> > any tunnel data over such a connection.
> >
> > In this case the TLS connection must be established, because otherwise the
> > client would have no secure channel over which to transmit the
> > username/password.  Any actual tunnel packets will be filtered by the
> > server until the client provides the correct username/password.
> >
> > If a client doesn't have --pull in it's config, the client would show
> > the TLS connection being established but would be blocked from sending or
> > receiving tunnel data from the server.  The server will retain the client
> > instance object until either the client provides a valid username/password
> > or the client instance on the server times out due to --keepalive or
> > --ping-exit.
> >
> > James
> Thank's, I understand it. On the client I see the connection established, but don't
> send or receive any data
> (exception username/password for authtentication).
> I have another question.
> If I set  --user and --group on the server username/password authentication always
> fail (without these all ok)
> I used auth-pam.pl script for authentication (from sample-script).

Try using the auth-pam plugin (not the script).  The plugin is more
advanced than the script -- it uses a split privilege model so that the
server can drop root privileges and still be able to do PAM 


Openvpn-users mailing list