diff options
| author | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-10-28 20:01:05 +0000 |
|---|---|---|
| committer | james <james@e7ae566f-a301-0410-adde-c780ea21d3b5> | 2008-10-28 20:01:05 +0000 |
| commit | 24ce3b27fb2c9fd53bd521e1dd524ad64e338e68 (patch) | |
| tree | 7c15fb7c5ba8a9f0ab1a7c1834d356e677efd458 /openvpn.8 | |
| parent | Change to pkitool/openssl.cnf so that calling scripts can (diff) | |
| download | openvpn-24ce3b27fb2c9fd53bd521e1dd524ad64e338e68.tar.xz | |
Added server-side --auth-user-pass-optional directive, to allow
connections by clients that do not specify a username/password, when a
user-defined authentication script/module is in place (via
--auth-user-pass-verify, --management-client-auth, or a plugin module).
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@3461 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to 'openvpn.8')
| -rw-r--r-- | openvpn.8 | 19 |
1 files changed, 19 insertions, 0 deletions
@@ -102,6 +102,7 @@ openvpn \- secure IP tunnel daemon. [\ \fB\-\-askpass\fR\ \fI[file]\fR\ ] [\ \fB\-\-auth\-nocache\fR\ ] [\ \fB\-\-auth\-retry\fR\ \fItype\fR\ ] +[\ \fB\-\-auth\-user\-pass\-optional\fR\ ] [\ \fB\-\-auth\-user\-pass\-verify\fR\ \fIscript\fR\ ] [\ \fB\-\-auth\-user\-pass\fR\ \fIup\fR\ ] [\ \fB\-\-auth\fR\ \fIalg\fR\ ] @@ -3250,6 +3251,24 @@ For a sample script that performs PAM authentication, see in the OpenVPN source distribution. .\"********************************************************* .TP +.B --auth-user-pass-optional +Allow connections by clients that do not specify a username/password. +Normally, when +.B --auth-user-pass-verify +or +.B --management-client-auth +is specified (or an authentication plugin module), the +OpenVPN server daemon will require connecting clients to specify a +username and password. This option makes the submission of a username/password +by clients optional, passing the responsibility to the user-defined authentication +module/script to accept or deny the client based on other factors +(such as the setting of X509 certificate fields). When this option is used, +and a connecting client does not submit a username/password, the user-defined +authentication module/script will see the username and password as being set +to empty strings (""). The authentication module/script MUST have logic +to detect this condition and respond accordingly. +.\"********************************************************* +.TP .B --client-cert-not-required Don't require client certificate, client will authenticate using username/password only. Be aware that using this directive |