ocserv

mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00

Author	SHA1	Message	Date
Nikos Mavrogiannopoulos	108d34f613	Ban an IP only when the MAX_PASSWORD_TRIES attempts have been exceeded	2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos	06f2147155	prohibit worker from sending an auth_type of zero	2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos	bfeab4b015	Additional data are passed only to auth module's global_init	2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos	11f43f144a	eliminated auth message upper limit	2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos	daa18cae8d	Ensure that any messages are being forwarded even on success packet	2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos	afef74fa23	removed the certificate[optional] auth type	2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos	8bb0af61bc	Added GSSAPI as an additional password auth mechanism That also adds the ability to support an OR composition of multiple authentication methods. That is using the 'enable-auth' config option.	2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos	3d55134215	when opening a session forward the received cookie to sec-module That allows to verify that the cookie hasn't been tampered without relying only on the MAC.	2015-02-12 21:44:32 +01:00
Nikos Mavrogiannopoulos	38206d6e93	eliminate double books for session expiration Session expiration is now handled only by security module. That simplifies the logic significantly.	2015-02-09 11:25:48 +01:00
Nikos Mavrogiannopoulos	e82e1b8d68	delete client entry after message is sent	2015-02-09 10:57:40 +01:00
Nikos Mavrogiannopoulos	5d3b2da2e1	sec-mod: pass all failures through handle_sec_auth_res() That will set the proper state to the user entry.	2015-01-28 12:56:37 +01:00
Nikos Mavrogiannopoulos	414c5d94da	harmonize the time cookies are stored in security module and main server	2015-01-25 18:48:49 +01:00
Nikos Mavrogiannopoulos	9fc8568107	ensure that stats are only updated if they increase That is, transferred bytes will not decrease in an update due to miscommunication between main and workers.	2014-12-14 20:00:33 +01:00
Nikos Mavrogiannopoulos	07e01d06b5	use strlcpy() instead of snprintf() where it make sense That should reduce wasted cycles.	2014-12-14 19:24:14 +01:00
Nikos Mavrogiannopoulos	853f7876cd	radius: increase the info sent during accounting requests Based on suggestions by Niels Peen. That adds: Calling-Station-Id in auth message, and Service-Type, Framed-Protocol, Framed-IP-Address, Acct-Authentic, NAS-Port-Type, Acct-Session-Time in acct messages.	2014-12-14 15:03:59 +01:00
Nikos Mavrogiannopoulos	065753bd57	undid `ed5b177691` It is not currently possible to reload only a part of the configuration. If the back-end module changes, the server will bail out instead.	2014-12-10 15:28:14 +01:00
Nikos Mavrogiannopoulos	c15a7befbb	sec-mod: always reply on open-session cmd	2014-12-10 15:10:25 +01:00
Nikos Mavrogiannopoulos	c8a2666fa7	avoid crash when no auth module is in use	2014-12-10 14:15:37 +01:00
Nikos Mavrogiannopoulos	0551338a7a	sec-mod: preparations for thread safety	2014-12-10 14:10:17 +01:00
Nikos Mavrogiannopoulos	54e6450807	sec-mod: separated request serving from main loop	2014-12-10 13:30:56 +01:00
Nikos Mavrogiannopoulos	320773e80a	Added support for radius interim updates	2014-12-10 11:18:29 +01:00
Nikos Mavrogiannopoulos	2194e11b39	Added support for radius authentication	2014-12-09 10:59:18 +01:00
Nikos Mavrogiannopoulos	baa3e4701e	Supplementary configuration is now read by the security module. That allows sec-mod to handle both authentication and accounting. That deprecates the session-control configuration option.	2014-12-08 13:52:28 +01:00
Nikos Mavrogiannopoulos	7b0e20e6ad	sec-mod: made logging consistent with the main server	2014-12-01 22:49:09 +01:00
Nikos Mavrogiannopoulos	987974a59e	sec-mod: print whether a certificate is present	2014-11-27 13:33:02 +01:00
Nikos Mavrogiannopoulos	78b3685f7a	Generate a new DTLS session ID on every cookie connection That allows openconnect to distinguish when the DTLS key has switched.	2014-11-16 10:00:15 +01:00
Nikos Mavrogiannopoulos	473ceebe4c	Added sanity checks into sec-mod That prevents a crash when certificate authentication is used but session control is enabled. Reported by George Panda.	2014-10-11 08:25:17 +02:00
Nikos Mavrogiannopoulos	1cb35b8b09	use more reasonable names to open and close a session	2014-09-25 16:41:54 +02:00
Nikos Mavrogiannopoulos	365ca267d4	added new authentication mode optional-certificate That mode allows having only specific group of users that are required to present a certificate.	2014-09-24 12:41:31 +02:00
Nikos Mavrogiannopoulos	30bcf35576	Revert "license upgraded to GPLv3" This reverts commit `213f9a63ee`. Conflicts: configure.ac	2014-09-24 11:34:15 +02:00
Nikos Mavrogiannopoulos	a40c5afcc8	sec-mod-auth: don't print misleading message on session control	2014-09-01 00:45:20 +02:00
Nikos Mavrogiannopoulos	4fa0053d54	ocserv: prompt the user for group selection even if only certificate authentication is used.	2014-06-26 13:46:31 +02:00
Nikos Mavrogiannopoulos	28dca2aa0c	Added support for session control (relevant for PAM for now) That in effect will utilize the pam_open_session() and pam_close_session(). It is disabled by default as it requires more resources from the security module.	2014-06-10 15:16:40 +02:00
Nikos Mavrogiannopoulos	01db3e5817	Include the SID into the cookie and store it in proc_st.	2014-06-10 10:41:10 +02:00
Nikos Mavrogiannopoulos	25fbdfbf70	Keep track of cookies internally. That allows to restrict the cookie validity time to the absolutely minimum required to establish and reconnect a recently disconnected session. That deprecates the cookie-validity option and introduces the cookie-timeout option.	2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos	2e1c1bb29f	require the certificate being present on the sec-mod session initialization.	2014-05-27 10:46:16 +02:00
Nikos Mavrogiannopoulos	78132e2a6d	Added auto group listing on PAM authentication as well. In addition a configuration option to print group IDs over a certain number was added.	2014-05-23 16:36:48 +02:00
Nikos Mavrogiannopoulos	213f9a63ee	license upgraded to GPLv3	2014-05-23 11:50:56 +02:00
Nikos Mavrogiannopoulos	de50dd413b	Better auth log messages.	2014-05-23 11:36:37 +02:00
Nikos Mavrogiannopoulos	6dcc9acf77	Restrict cookies to a single IP address.	2014-05-21 16:19:07 +02:00
Nikos Mavrogiannopoulos	6ca3c4761c	Cookies are packed using protocol buffers to reduce their size.	2014-05-21 16:11:05 +02:00
Nikos Mavrogiannopoulos	7153ea8ea7	more precise usage of MAX_*_SIZE definitions.	2014-05-21 06:21:34 +02:00
Nikos Mavrogiannopoulos	aef5dc0633	Allow multiple groups to be present in a client certificate. In that case the user will be prompted to select a group.	2014-05-20 15:36:40 +02:00
Nikos Mavrogiannopoulos	4755ee48c5	Added the select-group and auto-select-group config options. These options allow to prompt the user for a group prior to login. That in addition enhances the password file format and multiple groups can be specified on a comma separated list, as: user:group1,group2,group3:$5$encodedpassword	2014-05-19 18:25:25 +02:00
Nikos Mavrogiannopoulos	d99c527758	memory reorganization in sec-mod. It no longer relies on main pool, it uses it's own pool. In addition the DEBUG_LEAKS definition was added to allow debugging leaks.	2014-05-15 16:44:43 +02:00
Nikos Mavrogiannopoulos	f9ce018f68	Add the clock_gettime() syscall on the list of allowed in seccomp.	2014-05-15 14:28:18 +02:00
Nikos Mavrogiannopoulos	68c4b2371b	Renamed main-auth.h.	2014-05-15 11:39:02 +02:00
Nikos Mavrogiannopoulos	fcaeacbd00	Added sanity checks in state transitions.	2014-05-14 14:51:41 +02:00
Nikos Mavrogiannopoulos	53f3129da9	Authentication modules were moved to subdirectory auth/	2014-05-14 14:35:50 +02:00
Nikos Mavrogiannopoulos	3f9a215f53	Allow for random and for predictable IP assignment.	2014-05-14 13:00:11 +02:00

1 2

51 Commits