diff options
author | Daniel Kubec <niel@rtfm.cz> | 2015-04-05 00:10:37 +0200 |
---|---|---|
committer | David Sommerseth <davids@redhat.com> | 2015-10-10 00:03:07 +0200 |
commit | f7ef7522f5c7e6d4abfa5a0378c2e2ad265c65ec (patch) | |
tree | db04092f643139b146b822522b1a52baa8f2edd0 /sample/sample-plugins/keying-material-exporter-demo/README | |
parent | 84604e0bae7216b46642d5a1a443b86f712d53aa (diff) | |
download | openvpn-f7ef7522f5c7e6d4abfa5a0378c2e2ad265c65ec.tar.gz openvpn-f7ef7522f5c7e6d4abfa5a0378c2e2ad265c65ec.tar.xz openvpn-f7ef7522f5c7e6d4abfa5a0378c2e2ad265c65ec.zip |
sample-plugin: TLS Keying Material Exporter [RFC-5705] demonstration plug-in
A simple plug-in with a corresponding HTTP server and client which can authenticate
an HTTP user based on the authentication already done via an established OpenVPN
connection
[DS: Renamed the module at commit time from sso to keyingmaterialexporter to
avoid confusion with other Single-Sign-On solutions. Updated documentation
and commits accordingly. Added --pull to the client config]
Signed-off-by: Daniel Kubec <niel@rtfm.cz>
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'sample/sample-plugins/keying-material-exporter-demo/README')
-rw-r--r-- | sample/sample-plugins/keying-material-exporter-demo/README | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/sample/sample-plugins/keying-material-exporter-demo/README b/sample/sample-plugins/keying-material-exporter-demo/README new file mode 100644 index 0000000..a245d23 --- /dev/null +++ b/sample/sample-plugins/keying-material-exporter-demo/README @@ -0,0 +1,68 @@ +OpenVPN plugin examples. Daniel Kubec <niel@rtfm.cz> + +Examples provided: + +keyingmaterialexporter.c -- Example based on TLS Keying Material Exporters over HTTP [RFC-5705] + (openvpn/doc/keying-material-exporter.txt) + +This example demonstrates authenticating a user over HTTP who have already +established an OpenVPN connecting using the --keying-material-exporter +feature. + +Requires: +OpenVPN RFC-5705 Support, OpenSSL >= 1.0.1 + +Files: + http-server.py -- Example HTTP Server listen 0.0.0.0:8080 + http-client.py -- Example HTTP Client connect 10.8.0.1:8080 [GET /$SESSIONID] + + server.ovpn -- Example HTTP SSO VPN Server configuration + client.ovpn -- Example HTTP SSO VPN Client configuration + + keyingmaterialexporter.c, + keyingmaterialexporter.so -- Example OpenVPN Client and Server plugin + +To build: + ./build keyingmaterialexporter + +To use in OpenVPN: + +Enter openvpn/sample/sample-plugins/keyingmaterialexporter directory +and in separate terminals, start these four processes: + +$ openvpn --config ./server.ovpn +$ openvpn --config ./client.ovpn +$ ./http-server.py +$ ./http-client.py + +Test: + +openvpn --config ./server.ovpn +############################## + +PLUGIN SSO: app session created +PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_VERIFY status=0 +PLUGIN SSO: app session key: a5885abc84d361803f58ede1ef9c0adf99e720cd +PLUGIN SSO: app session file: /tmp/openvpn_sso_a5885abc84d361803f58ede1ef9c0adf99e720cd +PLUGIN SSO: app session user: Test-Client + +openvpn --config ./client.ovpn +############################## +PLUGIN SSO: app session created +PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_VERIFY status=0 +PLUGIN SSO: app session key: a5885abc84d361803f58ede1ef9c0adf99e720cd +PLUGIN SSO: app session file: /tmp/openvpn_sso_user +PLUGIN_CALL: POST ./keyingmaterialexporter.so/PLUGIN_TLS_FINAL status=0 + +HTTP_SERVER: +http-server.py +################ +http server started +session file: /tmp/openvpn_sso_a5885abc84d361803f58ede1ef9c0adf99e720cd +10.8.0.1 - - [02/Apr/2015 15:03:33] "GET /a5885abc84d361803f58ede1ef9c0adf99e720cd HTTP/1.1" 200 - +session user: Test-Client +session key: a5885abc84d361803f58ede1ef9c0adf99e720cd + +HTTP_SERVER: +http-client.py +<html><body><h1>Greetings Test-Client. You are authorized</h1></body></html> |