About --auth-user-pass-verify in OpenVPN
来源:互联网 发布:新海诚 知乎 编辑:程序博客网 时间:2024/06/14 12:30
--auth-user-pass-verify script method
Require the client to provide a username/password (possibly in addition to a client certificate) for authentication.
OpenVPN will execute script as a shell command to validate the username/password provided by the client.
If method is set to "via-env", OpenVPN will call script with the environmental variables username and passwordset to the username/password strings provided by the client. Be awarethat this method is insecure on some platforms which make theenvironment of a process publicly visible to other unprivilegedprocesses.
If methodis set to "via-file", OpenVPN will write the username and password tothe first two lines of a temporary file. The filename will be passed asan argument to script, and the file will be automaticallydeleted by OpenVPN after the script returns. The location of thetemporary file is controlled by the --tmp-dir option, and will default to the current directory if unspecified. For security, consider setting --tmp-dir to a volatile storage medium such as /dev/shm (if available) to prevent the username/password file from touching the hard drive.
Thescript should examine the username and password, returning a successexit code (0) if the client's authentication request is to be accepted,or a failure code (1) to reject the client.
This directive is designed to enable a plugin-style interface for extending OpenVPN's authentication capabilities.
Toprotect against a client passing a maliciously formed username orpassword string, the username string must consist only of thesecharacters: alphanumeric, underbar ('_'), dash ('-'), dot ('.'), or at('@'). The password string can consist of any printable charactersexcept for CR or LF. Any illegal characters in either the username orpassword string will be converted to underbar ('_').
Caremust be taken by any user-defined scripts to avoid creating a securityvulnerability in the way that these strings are handled. Never usethese strings in such a way that they might be escaped or evaluated bya shell interpreter.
For a sample script that performs PAM authentication, see sample-scripts/auth-pam.pl in the OpenVPN source distribution.
- About --auth-user-pass-verify in OpenVPN
- Pentest - dump openvpn user/pass
- OpenVPN在Windows下使用User/Pass验证
- 配置OpenVPN使用User/Pass方式验证登录
- 在windows下实现openvpn的user/pass及证书验证
- about user time in X domain
- Mongodb User Auth
- How to implement JWT Auth About Restful API in Laravel 5.5
- Acceptance tests verify user stories
- relation-auth-user-does-not-exist
- about RMS super user
- SSL Client Auth in Rails
- Customize User Interfaces and Pass User Input to Installer Classes
- pass xml string in database
- OpenGL pass-through in QEMU
- 如何修改django auth.user 的默认get_absolute_url值
- Django 官方推荐的User引用 (auth.models)
- All about Eve: Execute-Verify Replication for Multi-Core Servers
- WinCE OAL架构分析
- Creat database of DB2 in Linux/Aix
- uCOS-II邮箱和消息队列
- ioctl和struct ifreq
- 聚锐网隆重推出终极网站分析工具 超级管家
- About --auth-user-pass-verify in OpenVPN
- 什么是JSON?
- python比较操作的内幕
- C# 中的委托和事件
- 《linux内核设计与实现》阅读笔记 第六章 下半部和推后执行的工作
- c# 线程运用
- 9月编程语言排行榜:PHP的历史性突破(1)
- ORACLE 修改表的表空间
- TCP/IP协议
