Menu
▾
▴
Re: [Openvpn-users] OpenVPN Client 2FA problem with Backslash
|
From: Jan J. K. <jan...@gm...> - 2022-03-10 11:23:04
|
Hi there,
On 10/03/22 11:51, Jakob Curdes wrote:
>
> Hello all,
>
> we are trying to implement 2FA for several existing Firebox SSL VPNs
> (which essentially uses OpenVPN on server and client side). The remote
> users all use the Windows OpenVPN client. This works perfectly without
> 2FA, and it works also if you do not need to specify the
> authentication domain on user logon. But for the migration it is
> necessary to do that as I cannot convert all users at once - the
> domain you enter in the username field is then "authpoint" instead of
> something like "company.private". In the 2FA process, the OpenVPN
> client then opens a text window where you can enter a TOTP token or a
> "p" for a push request. This all works with the default domain set,
> but not when specifying a domain with a backslash:
>
> Thu Mar 10 10:35:31 2022 VERIFY OK: depth=0,
> O=WatchGuard_Technologies, OU=Fireware, CN=Fireware SSLVPN Server
> Thu Mar 10 10:35:31 2022 Control Channel: TLSv1.2, cipher TLSv1.2
> ECDHE-RSA-CHACHA20-POLY1305, peer certificate: 2048 bit RSA,
> signature: RSA-SHA256
> Thu Mar 10 10:35:31 2022 [Fireware SSLVPN Server] Peer Connection
> Initiated with [AF_INET]1.2.3.4:443
> Thu Mar 10 10:35:32 2022 MANAGEMENT: >STATE:1646904932,GET_CONFIG,,,,,,
> Thu Mar 10 10:35:32 2022 SENT CONTROL [Fireware SSLVPN Server]:
> 'PUSH_REQUEST' (status=1)
> Thu Mar 10 10:35:32 2022 AUTH: Received control message:
> AUTH_FAILED,CRV1:R,E:1796:Yoirtuqeprtiqrew4==:*Type "p" to receive a
> push notification or type your one-time password*
> Thu Mar 10 10:35:32 2022 SIGUSR1[soft,auth-failure] received, process
> restarting
> Thu Mar 10 10:35:32 2022 MANAGEMENT:
> >STATE:1646904932,RECONNECTING,auth-failure,,,,,
> Thu Mar 10 10:35:32 2022 Restart pause, 5 second(s)
> *Thu Mar 10 10:35:40 2022 Previous command sent to management failed:
> ERROR: Options warning: Bad backslash ('\') usage in TCP:0: remember
> that backslashes are treated as shell-escapes and if you need to pass
> backslash characters as part of a Windows filename, you sho*
> Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'username "Auth"
> "*authpoint\UserName*"'
> Thu Mar 10 10:35:40 2022 MANAGEMENT: CMD 'password [...]'
>
> This sounds like I need to escape the backslash, but if I do this the
> Auth fails completely before the 2FA part comes into the picture. I
> fear that the normal user authentication part and the 2FA code treat
> backslashes differently... how can I get this going, if at all? Should
> I contact the openvpn-devel list for this?
>
>
before getting into whether this is a bug or not : most Windows-based
authentication systems also accept authpoint/Username (i.e. forward slash).
Other than that, this does seem to be one for the -devel list, as I
suspect that in manage.c the "parse_line" call does not differentiate
between file paths (for which \\ is needed) and a "domain\username" call.
Alternatively, you might be able to get away with specifying
username@FQDN as well.
HTH,
JJK
|
