tickets #160403
closedVPN security regression
0%
Description
With https://progress.opensuse.org/issues/151492 the username/passphrase authentication layer was removed from our OpenVPN setup. I found a security regression with this.
We allow VPN certificate authentication for all users in the "vpn" group - this is done by OpenVPN being configured to enforce a user specific CCD file being present, and Salt managing these CCD files based on the group membership in LDAP.
Previously, if a user was locked/disabled, the certificate authentication would succeed, but the LDAP bind would fail, correctly preventing disabled users from connecting.
By having removed the LDAP username/passphrase layer, we removed this protection, allowing users to connect regardless of whether their account is active or disabled.
Of course, a process change should take place which revokes certificates and updates the VPN CRL for disabled users. But currently this is not the case, and we have a big discrepancy between user lock and certificate validity statuses, especially given old VPN certificates being valid for 10 years (new ones 3 years).
A first mitigation for this is amending our Salt states to only place CCD files for users which are both, in the "vpn" group and are not locked/expired. I followed up with @firstyear on how to fetch this data from LDAP.
Afterwards we should look into some tooling to hook the same information into easy-rsa revocations.