From bb27e40799dcfe51a8cd82b236ce404bd7ab93aa Mon Sep 17 00:00:00 2001 From: Frank Lichtenheld Date: Thu, 22 Jan 2026 13:57:07 +0100 Subject: [PATCH] manage: Do not trigger actions on management disconnect if not authenticated If the management interface requires authentication via password and the remote did not specify it, do not do trigger actions requested by --management-forget-disconnect and --management-signal on disconnect. Reported-By: Joshua Rogers Found-By: ZeroPath (https://zeropath.com) Github: openvpn-private-issues#5 Change-Id: I575d65912ce9065a0b0868e73998b4a9aece62af Signed-off-by: Frank Lichtenheld Acked-by: Arne Schwabe Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1484 Message-Id: <20260122125707.108048-1-frank@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg35390.html Signed-off-by: Gert Doering (cherry picked from commit 4bf05d487cc10164615ad7c18931d063ca3eecc2) --- src/openvpn/manage.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index feb32274..0e4afa2f 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -2005,13 +2005,14 @@ man_reset_client_socket(struct management *man, const bool exiting) } if (!exiting) { - if (man->settings.flags & MF_FORGET_DISCONNECT) + if (man->settings.flags & MF_FORGET_DISCONNECT && !man_password_needed(man)) { + msg(D_MANAGEMENT, "MANAGEMENT: Reset authentication on disconnect"); ssl_purge_auth(false); (void)ssl_clean_auth_token(); } - if (man->settings.flags & MF_SIGNAL) + if (man->settings.flags & MF_SIGNAL && !man_password_needed(man)) { int mysig = man_mod_signal(man, SIGUSR1); if (mysig >= 0)