Forums

poslovnjak
poslovnjak
Offline
Resolved
0 votes
Hello, this is my first post so please bear with me.

I'm using ClearOS Community 6.3, with configured OpenVPN server that works without a hitch. Yesterday, I was cleaning up users and noticed that I can still connect with user account that was deleted or had OpenVPN disabled through webconfig.

I have disabled user password authentication described in this post:

https://www.clearos.com/clearfoundation/social/community/override-user-password-authentication-for-openvpn


Was wondering if that is the reason that deleted user can still connect? Or anybody has the same issue? Anyhow I still need OpenVPN to work without password auth (because Windows service users).

Any help is appreciated. :-)
Tuesday, March 07 2017, 11:46 AM
Share this post:
Responses (10)
  • Accepted Answer

    poslovnjak
    poslovnjak
    Offline
    Thursday, March 09 2017, 07:02 PM - #Permalink
    Resolved
    0 votes
    Thanks for the bug report, I'm still waiting for response from ClearCARE for user/pass for bug reporting, so this will speed up things.

    I will try to start CRL described in that article, if that resolves my problem I will post it here.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, March 09 2017, 06:36 PM - #Permalink
    Resolved
    0 votes
    Reading up on the OpenVPN HowTo, the authentication model looks whacky. It is almost as if the server and client self-authenticate. This means the server only sees the CA presented by the client and vice-versa. It also seems to suggest the only way to disable a client from authenticating is use a CRL on the server. Unfortunately a CRL mechanism is not provided by ClearOS. Further down the HowTo there is a bit on CRL's. Perhaps you could try it.

    I would consider this a Severe/Major bug as it is a security hole. I'm happy to raise a bug for you.

    [edit]
    ..... but it is self-created by disabling user-pass access.

    Anyway Bug 13611 filed.
    [/edit]
    The reply is currently minimized Show
  • Accepted Answer

    poslovnjak
    poslovnjak
    Offline
    Thursday, March 09 2017, 01:48 PM - #Permalink
    Resolved
    0 votes
    Yeah, me too. I have deleted all user certificates in /pki/ca and /pki/ca/private folders, but I don't dare to delete the line in index.txt, user still can connect. On another user I revoked his cert, that changed his line in index.txt, but he can still connect.

    I really don't understand why, when OpenVPN is establishing connection and checking certificates, it doesn't even log any error or certificate mismatch, on either user.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, March 09 2017, 01:08 PM - #Permalink
    Resolved
    0 votes
    From memory I don't think clients.conf is configured to point to a CRL file. Perhaps you could have a look and try adding "crl-verify path_to_your_CRL_file" to clients.conf. What I don't understand is why, if the certificates have been deleted, OpenVPN still allows a connection.
    The reply is currently minimized Show
  • Accepted Answer

    poslovnjak
    poslovnjak
    Offline
    Thursday, March 09 2017, 09:52 AM - #Permalink
    Resolved
    0 votes
    Tried restaring nscd, same issue.

    I suspect this has something to do with CA, meaning the CA isn't notified which certificates are revoked/deleted/disabled. I researched some articles for different distros where they mention that after revoking certificate, CRL needs to be updated, but most of this articles have OpenVPN installed along with easyRSA, which ClearOS doesn't have.

    I will try to post bug report.
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, March 09 2017, 09:34 AM - #Permalink
    Resolved
    0 votes
    I suspect there is some credentials caching. nscd? Perhaps you could try restarting it. I'm away from my system so can't poke around.

    Bug reports are under Community > ClearOS Issue Tracker, but you may need to request password access.
    The reply is currently minimized Show
  • Accepted Answer

    poslovnjak
    poslovnjak
    Offline
    Thursday, March 09 2017, 07:32 AM - #Permalink
    Resolved
    0 votes
    No, revoking the certificate did nothing, the user is still able to connect.

    Manually deleting user certs and deleting the line in index.txt, user is still able to connect.

    I would file a bug report, but can't find where to. Is it under Community - Feature request? I can only find Issue tracker.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, March 08 2017, 04:55 PM - #Permalink
    Resolved
    0 votes
    The "database" is /etc/pki/CA/index.txt. I have edited it in the past but don't know how safe it is to do so.

    Did revoking the certificate stop the user from connecting?

    Also have you been able to file a bug?
    The reply is currently minimized Show
  • Accepted Answer

    poslovnjak
    poslovnjak
    Offline
    Wednesday, March 08 2017, 07:07 AM - #Permalink
    Resolved
    0 votes
    Thanks for your reply.

    I have guessed that much, so I deleted user certificate with the following command:

    openssl ca -config openssl.cnf -revoke *.pem


    I don't know how to update the database though...
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, March 07 2017, 10:38 PM - #Permalink
    Resolved
    0 votes
    If you disable user/pass authentication you rely totally on certificates. You'll need to remove his certificates. As you've deleted the user you may need to go into the underlying files in (iirc) /etc/pki, and remember the private key file and adjust the mini-database file.

    If you're very keen you could file a bug to the effect that when you delete a user, certificates should also be deleted.
    The reply is currently minimized Show
Your Reply