[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Sending log messages to client from auth-user-pass-verify script


  • Subject: Re: [Openvpn-users] Sending log messages to client from auth-user-pass-verify script
  • From: "Sverre Johan Tøvik" <macnetic@xxxxxxxxx>
  • Date: Thu, 6 Dec 2007 17:46:38 +0100

On Dec 6, 2007 4:56 PM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
that's the problem : AFAIK there's no plugin to send stuff back to the
client at login time... you could write a client plugin which listens to
a server plugin etc etc but that gets ugly really fast.

Hmmm. So plugins don't have access to stuff like the push functions, which AFAICT are used to pass commands between client and server?
 
alternatively you could write a client plugin which does a similar
username-common-name check: that way the client would know about the 
mismatch even before a connection was made.
 
Yeah, but the point here is to make sure a client must have a valid certificate and username/password combo, so noone can log on with some random combo.


        Sverre




HTH,

JJK

Sverre Johan Tøvik wrote:
> Hi Jan,
>
> I see an "AUTH: Received AUTH_FAILED control message", which is the
> same message as when an invalid username/password is used. I wouldn't
> mind writing a patch, but I'd rather not have to distribute a custom
> version of OpenVPN. Do you know if client side logging is possible
> with the plugin API? If so, I might just make a plugin which does the
> username/cn check. I just checked out the example "simple" plugin,
> looks easy enough.
>
>
>       Sverre
>
> On Dec 6, 2007 4:22 PM, Jan Just Keijser < janjust@xxxxxxxxx
> <mailto:janjust@xxxxxxxxx>> wrote:
>
>     Hi Sverre,
>
>     I don't think so... it would require a (not too difficult) patch
>     to the
>     openvpn software.
>     what do you see now when there's a username-common-name mismatch?
>
>     HTH,
>
>     JJK
>
>     Sverre Johan Tøvik wrote:
>     > Hi,
>     >
>     > The subject says it all really. Is it possible to send output
>     from an
>     > auth-user-pass-verify script to the client side log? I've added an
>     > auth-user-pass-verify script to verify that the username matches
>     > the common name from the client cert, and added some output so that
>     > these errors show up in the server log. However, I'd like this
>     to show
>     > up in the client side log also.
>     >
>     >
>
>