GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 16:57:00 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,716 Commits 19 Branches 88 Tags
e7f0b1f947ada12db0f13185684f07325b4b2140
Commit Graph

63 Commits

Author SHA1 Message Date
Nikos Mavrogiannopoulos
e7f0b1f947 keep statistics over the lifetime of a session rather than closing and opening the session multiple times 2015-02-22 22:01:47 +01:00
Nikos Mavrogiannopoulos
bc7c1bf8d9 check state on session cmd 2015-02-22 10:35:52 +01:00
Nikos Mavrogiannopoulos
9682a0f635 when combining multiple auth methods as primary, combine the name as well 2015-02-22 10:31:55 +01:00
Nikos Mavrogiannopoulos
de932ec60a removed pointless check 2015-02-22 10:08:10 +01:00
Nikos Mavrogiannopoulos
f1bc754169 add part of the session ID in logs to differentiate them 2015-02-21 17:14:09 +01:00
Nikos Mavrogiannopoulos
89ca2a3889 sec-mod: prevent an auth init message when not in inactive mode 2015-02-21 16:40:53 +01:00
Nikos Mavrogiannopoulos
30300cf65e sec-mod: more verbose logging 2015-02-21 16:32:14 +01:00
Nikos Mavrogiannopoulos
218162458e sec-mod: corrected usage counting issue in client entries kept 2015-02-21 10:03:33 +01:00
Nikos Mavrogiannopoulos
c1a6f4730b Added the configure option server-name 
If set it will be used to set the NAS_IDENTIFIER in radius.
 2015-02-21 08:20:16 +01:00
Nikos Mavrogiannopoulos
2557944bf0 eliminated unneeded variable 2015-02-19 19:29:03 +01:00
Nikos Mavrogiannopoulos
98f88f2060 sec-mod-auth: use auth_user module function only when a module is available 2015-02-19 17:11:56 +01:00
Nikos Mavrogiannopoulos
597d1a6a47 update username in GSSAPI 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
108d34f613 Ban an IP only when the MAX_PASSWORD_TRIES attempts have been exceeded 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
06f2147155 prohibit worker from sending an auth_type of zero 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
bfeab4b015 Additional data are passed only to auth module's global_init 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
11f43f144a eliminated auth message upper limit 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
daa18cae8d Ensure that any messages are being forwarded even on success packet 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
afef74fa23 removed the certificate[optional] auth type 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
8bb0af61bc Added GSSAPI as an additional password auth mechanism 
That also adds the ability to support an OR composition of multiple
authentication methods. That is using the 'enable-auth' config option.
 2015-02-19 11:47:20 +01:00
Nikos Mavrogiannopoulos
3d55134215 when opening a session forward the received cookie to sec-module 
That allows to verify that the cookie hasn't been tampered
without relying only on the MAC.
 2015-02-12 21:44:32 +01:00
Nikos Mavrogiannopoulos
38206d6e93 eliminate double books for session expiration 
Session expiration is now handled only by security
module. That simplifies the logic significantly.
 2015-02-09 11:25:48 +01:00
Nikos Mavrogiannopoulos
e82e1b8d68 delete client entry after message is sent 2015-02-09 10:57:40 +01:00
Nikos Mavrogiannopoulos
5d3b2da2e1 sec-mod: pass all failures through handle_sec_auth_res() 
That will set the proper state to the user entry.
 2015-01-28 12:56:37 +01:00
Nikos Mavrogiannopoulos
414c5d94da harmonize the time cookies are stored in security module and main server 2015-01-25 18:48:49 +01:00
Nikos Mavrogiannopoulos
9fc8568107 ensure that stats are only updated if they increase 
That is, transferred bytes will not decrease in an update
due to miscommunication between main and workers.
 2014-12-14 20:00:33 +01:00
Nikos Mavrogiannopoulos
07e01d06b5 use strlcpy() instead of snprintf() where it make sense 
That should reduce wasted cycles.
 2014-12-14 19:24:14 +01:00
Nikos Mavrogiannopoulos
853f7876cd radius: increase the info sent during accounting requests 
Based on suggestions by Niels Peen. That adds:
Calling-Station-Id in auth message, and Service-Type,
Framed-Protocol, Framed-IP-Address, Acct-Authentic,
NAS-Port-Type, Acct-Session-Time in acct messages.
 2014-12-14 15:03:59 +01:00
Nikos Mavrogiannopoulos
065753bd57 undid ed5b177691 
It is not currently possible to reload only a part of the
configuration. If the back-end module changes, the server will
bail out instead.
 2014-12-10 15:28:14 +01:00
Nikos Mavrogiannopoulos
c15a7befbb sec-mod: always reply on open-session cmd 2014-12-10 15:10:25 +01:00
Nikos Mavrogiannopoulos
c8a2666fa7 avoid crash when no auth module is in use 2014-12-10 14:15:37 +01:00
Nikos Mavrogiannopoulos
0551338a7a sec-mod: preparations for thread safety 2014-12-10 14:10:17 +01:00
Nikos Mavrogiannopoulos
54e6450807 sec-mod: separated request serving from main loop 2014-12-10 13:30:56 +01:00
Nikos Mavrogiannopoulos
320773e80a Added support for radius interim updates 2014-12-10 11:18:29 +01:00
Nikos Mavrogiannopoulos
2194e11b39 Added support for radius authentication 2014-12-09 10:59:18 +01:00
Nikos Mavrogiannopoulos
baa3e4701e Supplementary configuration is now read by the security module. 
That allows sec-mod to handle both authentication and accounting.
That deprecates the session-control configuration option.
 2014-12-08 13:52:28 +01:00
Nikos Mavrogiannopoulos
7b0e20e6ad sec-mod: made logging consistent with the main server 2014-12-01 22:49:09 +01:00
Nikos Mavrogiannopoulos
987974a59e sec-mod: print whether a certificate is present 2014-11-27 13:33:02 +01:00
Nikos Mavrogiannopoulos
78b3685f7a Generate a new DTLS session ID on every cookie connection 
That allows openconnect to distinguish when the DTLS key has switched.
 2014-11-16 10:00:15 +01:00
Nikos Mavrogiannopoulos
473ceebe4c Added sanity checks into sec-mod 
That prevents a crash when certificate authentication is
used but session control is enabled. Reported by George Panda.
 2014-10-11 08:25:17 +02:00
Nikos Mavrogiannopoulos
1cb35b8b09 use more reasonable names to open and close a session 2014-09-25 16:41:54 +02:00
Nikos Mavrogiannopoulos
365ca267d4 added new authentication mode optional-certificate 
That mode allows having only specific group of users that are required
to present a certificate.
 2014-09-24 12:41:31 +02:00
Nikos Mavrogiannopoulos
30bcf35576 Revert "license upgraded to GPLv3" 
This reverts commit 213f9a63ee.

Conflicts:
	configure.ac
 2014-09-24 11:34:15 +02:00
Nikos Mavrogiannopoulos
a40c5afcc8 sec-mod-auth: don't print misleading message on session control 2014-09-01 00:45:20 +02:00
Nikos Mavrogiannopoulos
4fa0053d54 ocserv: prompt the user for group selection even if only certificate authentication is used. 2014-06-26 13:46:31 +02:00
Nikos Mavrogiannopoulos
28dca2aa0c Added support for session control (relevant for PAM for now) 
That in effect will utilize the pam_open_session() and pam_close_session().
It is disabled by default as it requires more resources from the security module.
 2014-06-10 15:16:40 +02:00
Nikos Mavrogiannopoulos
01db3e5817 Include the SID into the cookie and store it in proc_st. 2014-06-10 10:41:10 +02:00
Nikos Mavrogiannopoulos
25fbdfbf70 Keep track of cookies internally. 
That allows to restrict the cookie validity time to the absolutely minimum
required to establish and reconnect a recently disconnected session.
That deprecates the cookie-validity option and introduces the cookie-timeout
option.
 2014-05-27 16:00:57 +02:00
Nikos Mavrogiannopoulos
2e1c1bb29f require the certificate being present on the sec-mod session initialization. 2014-05-27 10:46:16 +02:00
Nikos Mavrogiannopoulos
78132e2a6d Added auto group listing on PAM authentication as well. 
In addition a configuration option to print group IDs over a
certain number was added.
 2014-05-23 16:36:48 +02:00
Nikos Mavrogiannopoulos
213f9a63ee license upgraded to GPLv3 2014-05-23 11:50:56 +02:00