Hello, this is my first post so please bear with me.
I'm using ClearOS Community 6.3, with configured OpenVPN server that works without a hitch. Yesterday, I was cleaning up users and noticed that I can still connect with user account that was deleted or had OpenVPN disabled through webconfig.
I have disabled user password authentication described in this post:
https://www.clearos.com/clearfoundation/social/community/override-user-password-authentication-for-openvpn
Was wondering if that is the reason that deleted user can still connect? Or anybody has the same issue? Anyhow I still need OpenVPN to work without password auth (because Windows service users).
Any help is appreciated. :-)
I'm using ClearOS Community 6.3, with configured OpenVPN server that works without a hitch. Yesterday, I was cleaning up users and noticed that I can still connect with user account that was deleted or had OpenVPN disabled through webconfig.
I have disabled user password authentication described in this post:
https://www.clearos.com/clearfoundation/social/community/override-user-password-authentication-for-openvpn
Was wondering if that is the reason that deleted user can still connect? Or anybody has the same issue? Anyhow I still need OpenVPN to work without password auth (because Windows service users).
Any help is appreciated. :-)
Share this post:
Responses (10)
-
Accepted Answer
-
Accepted Answer
Reading up on the OpenVPN HowTo, the authentication model looks whacky. It is almost as if the server and client self-authenticate. This means the server only sees the CA presented by the client and vice-versa. It also seems to suggest the only way to disable a client from authenticating is use a CRL on the server. Unfortunately a CRL mechanism is not provided by ClearOS. Further down the HowTo there is a bit on CRL's. Perhaps you could try it.
I would consider this a Severe/Major bug as it is a security hole. I'm happy to raise a bug for you.
[edit]
..... but it is self-created by disabling user-pass access.
Anyway Bug 13611 filed.
[/edit] -
Accepted Answer
Yeah, me too. I have deleted all user certificates in /pki/ca and /pki/ca/private folders, but I don't dare to delete the line in index.txt, user still can connect. On another user I revoked his cert, that changed his line in index.txt, but he can still connect.
I really don't understand why, when OpenVPN is establishing connection and checking certificates, it doesn't even log any error or certificate mismatch, on either user. -
Accepted Answer
-
Accepted Answer
Tried restaring nscd, same issue.
I suspect this has something to do with CA, meaning the CA isn't notified which certificates are revoked/deleted/disabled. I researched some articles for different distros where they mention that after revoking certificate, CRL needs to be updated, but most of this articles have OpenVPN installed along with easyRSA, which ClearOS doesn't have.
I will try to post bug report. -
Accepted Answer
-
Accepted Answer
No, revoking the certificate did nothing, the user is still able to connect.
Manually deleting user certs and deleting the line in index.txt, user is still able to connect.
I would file a bug report, but can't find where to. Is it under Community - Feature request? I can only find Issue tracker. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
If you disable user/pass authentication you rely totally on certificates. You'll need to remove his certificates. As you've deleted the user you may need to go into the underlying files in (iirc) /etc/pki, and remember the private key file and adjust the mini-database file.
If you're very keen you could file a bug to the effect that when you delete a user, certificates should also be deleted.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »