[PATCH] Introduce external-auth flag to make client-side authentication methods optional

Author: jkroepke

doc/man-sections/client-options.rst

@@ -87,6 +87,20 @@ configuration.
   The server configuration must specify an ``--auth-user-pass-verify``
   script to verify the username/password provided by the client.
 
+--external-auth
+  For security reasons, OpenVPN requires client-side credentials such as
+  client certificates or a username/password combination. The OpenVPN server
+  has the capability to delegate authentication to external systems using the
+  WEBAUTH protocol. In such cases, client credentials may be omitted.
+
+  ***Security Considerations***
+
+  When the ``--external-auth`` option is enabled in OpenVPN, it bypasses the
+  standard authentication checks. This configuration can potentially create a
+  risky environment where an OpenVPN server operates without requiring
+  authentication. If you opt to utilize ``--external-auth``, it's crucial to
+  thoroughly validate that the OpenVPN server has been adequately secured.
+
 --auth-retry type
   Controls how OpenVPN responds to username/password verification errors
   such as the client-side response to an :code:`AUTH_FAILED` message from

src/openvpn/options.c

@@ -499,6 +499,7 @@ static const char usage_message[] =
     "                  and a password on the second. If either the password or both\n"
     "                  the username and the password are omitted OpenVPN will prompt\n"
     "                  for them from console.\n"
+    "--external-auth   : If set, client-side credentials may be provided optionally.\n"
     "--pull           : Accept certain config file options from the peer as if they\n"
     "                  were part of the local config file.  Must be specified\n"
     "                  when connecting to a '--mode server' remote host.\n"
@@ -3004,12 +3005,12 @@ options_postprocess_verify_ce(const struct options *options,
 
                 if (sum == 0)
                 {
-                    if (!options->auth_user_pass_file)
+                    if (!options->auth_user_pass_file && !options->external_auth)
                     {
                         msg(M_USAGE, "No client-side authentication method is "
                             "specified.  You must use either "
-                            "--cert/--key, --pkcs12, or "
-                            "--auth-user-pass");
+                            "--cert/--key, --pkcs12, "
+                            "--auth-user-pass, or --external-auth");
                     }
                 }
                 else if (sum != 2)
@@ -7917,6 +7918,11 @@ add_option(struct options *options,
             options->auth_user_pass_file = "stdin";
         }
     }
+    else if (streq(p[0], "external-auth") && !p[1])
+    {
+        VERIFY_PERMISSION(OPT_P_GENERAL);
+        options->external_auth = true;
+    }
     else if (streq(p[0], "auth-retry") && p[1] && !p[2])
     {
         VERIFY_PERMISSION(OPT_P_GENERAL);

src/openvpn/options.h

@@ -542,6 +542,7 @@ struct options
     const char *auth_user_pass_file;
     bool auth_user_pass_file_inline;
     struct options_pre_connect *pre_connect;
+    bool external_auth;
 
     int scheduled_exit_interval;