Implement override-username

This allow the server to set and override the username that is assumed for the client for interaction with the client after the authentication. This is especially intended to allow the of use auth-gen-token in scenarios where the clients use certificates and multi-factor authentication. It allows a client to successfully roam to a different server and have a correct username and auth-token that can be accepted by that server as fully authenticated user without requiring MFA again. The scenario that this feature is probably most useful when --management-client-auth is in use as in this mode the OpenVPN server can accept clients without username/password but still use --auth-gen-token with username and password to accept auth-token as alternative authentication. A client without a username will also not use the pushed auth-token. So setting/pushing an auth-token-user will ensure that the client has a username. Github: OpenVPN/openvpn#299 Change-Id: Ia4095518d5e4447992a2974e0d7a159d79ba6b6f Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <20250311155904.4446-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg31091.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2025-05-07 20:55:53 +08:00 · 2025-03-11 16:59:04 +01:00 · 2025-03-11 16:59:04 +01:00 · ebd433bd1e
commit ebd433bd1e
parent 536809792d
10 changed files with 173 additions and 10 deletions
--- a/Changes.rst
+++ b/Changes.rst
@ -49,6 +49,12 @@ Epoch data keys and packet format
    - IV constructed with XOR instead of concatenation to not have (parts) of
      the real IV on the wire

+Allow overriding username with ``--override-username``
+    This is intended to allow using auth-gen-token in scenarios where the
+    clients use certificates and multi-factor authentication.  This will
+    also generate a 'push "auth-token-user newusername"' directives in
+    push replies.
+
 Deprecated features
 -------------------
 ``secret`` support has been removed by default.
--- a/doc/man-sections/server-options.rst
+++ b/doc/man-sections/server-options.rst
@ -89,6 +89,12 @@ fast hardware. SSL/TLS authentication must be used in this mode.
  will lead to authentication bypass (as does returning success on a wrong
  password from a script).

+  **Note:** the username for ``--auth-gen-token`` can be overridden by
+  ``--override-user``. In this case the client will be pushed also the
+  ``--auth-token-user`` option and an auth token that is valid for that
+  username instead of the original username that the client authenticated
+  with.
+
 --auth-gen-token-secret file
  Specifies a file that holds a secret for the HMAC used in
  ``--auth-gen-token`` If ``file`` is not present OpenVPN will generate a
@ -412,6 +418,32 @@ fast hardware. SSL/TLS authentication must be used in this mode.

  This option requires that ``--disable-occ`` NOT be used.

+--override-username username
+  Sets the username of a connection to the specified username.  This username
+  will also be used by ``--auth-gen-token``. However, the overridden
+  username comes only into effect *after* the ``--client-config-dir`` has been
+  read and the ``--auth-user-pass-verify`` and ``--client-connect`` scripts
+  have been run.
+
+  Also ``--username-as-common-name`` will use the client provided username
+  as common-name. It is recommended to avoid the use of the
+  ``--override-username`` option if the option ``--username-as-common-name``
+  is being used.
+
+  The changed username will be picked up by the status output and also by
+  the ``--auth-gen-token`` option. It will also be pushed to the client
+  using ``--auth-token-user``.
+
+  Special care should be taken that both the initial username of the client
+  and the overridden username are handled correctly when using
+  ``--override-username`` and the related options to avoid
+  authentication/authorisation bypasses.
+
+  This option is mainly intended for use cases that use certificates and
+  multi factor authentication and therefore do not provide a username that
+  can be used for ``--auth-gen-token`` to allow providing a username in
+  these scenarios.
+
 --port-share args
  Share OpenVPN TCP with another service

--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@ -42,7 +42,9 @@
 #include "ssl_verify.h"
 #include "ssl_ncp.h"
 #include "vlan.h"
+#include "auth_token.h"
 #include <inttypes.h>
+#include <string.h>

 #include "memdbg.h"

@ -2680,6 +2682,60 @@ static const multi_client_connect_handler client_connect_handlers[] = {
    NULL,
 };

+/**
+ * Overrides the locked username with the username of --override-username
+ * @param mi the multi instance that should be modified.
+ */
+static bool
+override_locked_username(struct multi_instance *mi)
+{
+    struct tls_multi *multi = mi->context.c2.tls_multi;
+    struct options *options = &mi->context.options;
+    struct tls_session *session = &multi->session[TM_ACTIVE];
+
+    if (!multi->locked_username)
+    {
+        msg(D_MULTI_ERRORS, "MULTI: Ignoring override-username as no "
+            "user/password method is enabled. Enable "
+            "--management-client-auth, --auth-user-pass-verify, or a "
+            "plugin with user/password verify capability.");
+        return false;
+    }
+
+    if (!multi->locked_original_username
+        && strcmp(multi->locked_username, options->override_username) != 0)
+    {
+        multi->locked_original_username = multi->locked_username;
+        multi->locked_username = strdup(options->override_username);
+
+        /* Override also the common name if username should be set as common
+         * name */
+        if ((session->opt->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME))
+        {
+            set_common_name(session, multi->locked_username);
+            free(multi->locked_cn);
+            multi->locked_cn = NULL;
+            tls_lock_common_name(multi);
+        }
+
+        /* Regenerate the auth-token if enabled */
+        if (multi->auth_token_initial)
+        {
+            struct user_pass up;
+            CLEAR(up);
+            strncpynt(up.username, multi->locked_username,
+                      sizeof(up.username));
+
+            generate_auth_token(&up, multi);
+        }
+
+        msg(D_MULTI_LOW, "MULTI: Note, override-username changes username "
+            "from '%s' to '%s'",
+            multi->locked_original_username,
+            multi->locked_username);
+    }
+    return true;
+}
 /*
 * Called as soon as the SSL/TLS connection is authenticated.
 *
@ -2783,6 +2839,14 @@ multi_connection_established(struct multi_context *m, struct multi_instance *mi)
        (*cur_handler_index)++;
    }

+    if (mi->context.options.override_username)
+    {
+        if (!override_locked_username(mi))
+        {
+            cc_succeeded = false;
+        }
+    }
+
    /* Check if we have forbidding options in the current mode */
    if (dco_enabled(&mi->context.options)
        && !dco_check_option(D_MULTI_ERRORS, &mi->context.options))
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@ -452,6 +452,8 @@ static const char usage_message[] =
    "                  Only valid in a client-specific config file.\n"
    "--disable       : Client is disabled.\n"
    "                  Only valid in a client-specific config file.\n"
+    "--override-username: Overrides the client-specific username to be used.\n"
+    "                  Only valid in a client-specific config file.\n"
    "--verify-client-cert [none|optional|require] : perform no, optional or\n"
    "                  mandatory client certificate verification.\n"
    "                  Default is to require the client to supply a certificate.\n"
@ -8000,6 +8002,23 @@ add_option(struct options *options,
        VERIFY_PERMISSION(OPT_P_INSTANCE);
        options->disable = true;
    }
+    else if (streq(p[0], "override-username") && p[1] && !p[2])
+    {
+        VERIFY_PERMISSION(OPT_P_INSTANCE);
+        if (strlen(p[1]) > TLS_USERNAME_LEN)
+        {
+            msg(msglevel, "override-username exceeds the maximum length of %d "
+                "characters", TLS_USERNAME_LEN);
+
+            /* disable the connection since ignoring the request to
+             * set another username might cause serious problems */
+            options->disable = true;
+        }
+        else
+        {
+            options->override_username = p[1];
+        }
+    }
    else if (streq(p[0], "tcp-nodelay") && !p[1])
    {
        VERIFY_PERMISSION(OPT_P_GENERAL);
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@ -505,6 +505,7 @@ struct options
    const char *client_config_dir;
    bool ccd_exclusive;
    bool disable;
+    const char *override_username;
    int n_bcast_buf;
    int tcp_queue_limit;
    struct iroute *iroutes;
--- a/src/openvpn/push.c
+++ b/src/openvpn/push.c
@ -595,9 +595,19 @@ prepare_auth_token_push_reply(struct tls_multi *tls_multi, struct gc_arena *gc,
     */
    if (tls_multi->auth_token)
    {
-        push_option_fmt(gc, push_list, M_USAGE,
-                        "auth-token %s",
+        push_option_fmt(gc, push_list, M_USAGE, "auth-token %s",
                        tls_multi->auth_token);
+
+        char *base64user = NULL;
+        int ret = openvpn_base64_encode(tls_multi->locked_username,
+                                        (int)strlen(tls_multi->locked_username),
+                                        &base64user);
+        if (ret < USER_PASS_LEN && ret > 0)
+        {
+            push_option_fmt(gc, push_list, M_USAGE, "auth-token-user %s",
+                            base64user);
+        }
+        free(base64user);
    }
 }

--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@ -1262,6 +1262,7 @@ tls_multi_free(struct tls_multi *multi, bool clear)
    free(multi->peer_info);
    free(multi->locked_cn);
    free(multi->locked_username);
+    free(multi->locked_original_username);

    cert_hash_free(multi->locked_cert_hash_set);

--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@ -627,7 +627,16 @@ struct tls_multi
     * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object)
     */
    char *locked_cn;
+
+    /** The locked username is the username we assume the client is using.
+     * Normally the username used for initial authentication unless
+     * overridden by --override-username */
    char *locked_username;
+
+    /** The username that client initially used before being overridden
+     * by --override-user */
+    char *locked_original_username;
+
    struct cert_hash_set *locked_cert_hash_set;

    /** Time of last when we updated the cached state of
--- a/src/openvpn/ssl_verify.c
+++ b/src/openvpn/ssl_verify.c
@ -48,9 +48,6 @@
 #include "push.h"
 #include "ssl_util.h"

-/** Maximum length of common name */
-#define TLS_USERNAME_LEN 64
-
 static void
 string_mod_remap_name(char *str)
 {
@ -85,10 +82,7 @@ tls_deauthenticate(struct tls_multi *multi)
    }
 }

-/*
- * Set the given session's common_name
- */
-static void
+void
 set_common_name(struct tls_session *session, const char *common_name)
 {
    if (session->common_name)
@ -153,7 +147,10 @@ tls_lock_username(struct tls_multi *multi, const char *username)
 {
    if (multi->locked_username)
    {
-        if (strcmp(username, multi->locked_username) != 0)
+        /* If the username has been overridden, we accept both the original
+         * username and the changed username */
+        if (strcmp(username, multi->locked_username) != 0
+            &&  (!multi->locked_original_username || strcmp(username, multi->locked_original_username) != 0))
        {
            msg(D_TLS_ERRORS, "TLS Auth Error: username attempted to change from '%s' to '%s' -- tunnel disabled",
                multi->locked_username,
@ -1604,6 +1601,17 @@ verify_user_pass(struct user_pass *up, struct tls_multi *multi,
     */
    bool skip_auth = false;

+    /* Replace username early if override-username is in effect but only
+     * if client is sending the original username */
+    if (multi->locked_original_username
+        && strncmp(up->username, multi->locked_original_username, sizeof(up->username)) == 0)
+    {
+        msg(D_MULTI_LOW, "TLS: Replacing client provided username '%s' with "
+            "username from override-user '%s'", up->username,
+            multi->locked_username);
+        strncpy(up->username, multi->locked_username, sizeof(up->username));
+    }
+
    /*
     * If server is configured with --auth-gen-token and the client sends
     * something that looks like an authentication token, this
--- a/src/openvpn/ssl_verify.h
+++ b/src/openvpn/ssl_verify.h
@ -51,6 +51,9 @@
 /** Maximum certificate depth we will allow */
 #define MAX_CERT_DEPTH 16

+/** Maximum length of common name */
+#define TLS_USERNAME_LEN 64
+
 /** Structure containing the hash for a single certificate */
 struct cert_hash {
    unsigned char sha256_hash[256/8];
@ -146,6 +149,16 @@ void tls_lock_common_name(struct tls_multi *multi);
 */
 const char *tls_common_name(const struct tls_multi *multi, const bool null);

+
+/**
+ * Sets the common name field for the given tunnel
+ *
+ * @param multi         The tunnel to set the common name for
+ * @param common_name   The name to set the common name to
+ */
+void
+set_common_name(struct tls_session *session, const char *common_name);
+
 /**
 * Returns the username field for the given tunnel
 *