Ubuntu
openvpn-auth-radius package

user can log in with username/password that does not match certificate presented

Bug #1607055 reported by g
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn-auth-radius (Ubuntu)
Triaged
Undecided
Unassigned

Bug Description

The radius plugin will accept any username/password combination that is valid. It does not appear to take the user authentication certificate into account. I noticed this and also found another user on the internet that noticed this problem in 2013. http://random.ac/cess/2013/09/21/openvpn-with-freeradius-common-name-as-username/

I think it would be important to verify the certificate matches the username. Or perhaps some way to verify they map to the same user. I haven't investigated enough to suggest the implementation.

Revision history for this message
Seth Arnold (seth-arnold) wrote :

This kind of change is probably best addressed with the OpenVPN community -- if we make a change of this scale on our own it'd probably break someone's configuration. It ought to be carefully designed and deployed in a manner that's not too surprising for existing installations.

Could you file a bug with the OpenVPN upstream and link the bugs together?

Thanks

information type: Private Security → Public Security
Revision history for this message
g (wgordonw1) wrote :

In their IRC chat they said this was a plugin problem which is why I posted here instead of their trac.

I did post a similar issue because I was going to attempt to use the auth-user-pass-verify script in the meantime to perform this validation but the script is not passed enough of the certificate to do validation unless the username is contained in the subject (it is in the san for my certificates).

Here is that link: https://community.openvpn.net/openvpn/ticket/717#no4

I would guess if the radius plugin has access to the certificate it should be trivial to expose opt in validation logic that wouldn't be backwards incompatible. A simple field matching would probably cover most use cases. It seems like opt out would be better since the current implementation seems like a security risk but perhaps backwards compatibility is more important.

Revision history for this message
g (wgordonw1) wrote :

Where is upstream for this package? I can post a bug report with them. It doesn't sound like it is part of the openvpn project though?

Revision history for this message
Tyler Hicks (tyhicks) wrote :

The `apt-cache show openvpn-auth-radius` command shows that the homepage is http://www.nongnu.org/radiusplugin/

Marc Deslauriers (mdeslaur)
Changed in openvpn-auth-radius (Ubuntu):
status: New → Triaged
Revision history for this message
Postmaster FNWI (1-postmaster) wrote :

server configuration '--client-connect ./check-user-cn' can be used with a static binary 'check-user-cn' like:
cn=getenv("common_name")
usr=getenv("username")
if (strcmp(cn, usr) != 0) { printf("cn and username mismatch\n"); return 1 }
return 0

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.