Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> On 01/12/2014 01:41 PM, David Woodhouse wrote:
>>> Indeed that was the issue and it seems it is now fixed by having
>>> ocserv use a compact authentication method (ask both username
>>> and password in one go) if the client does auth using the
>>> "Connection: Close" HTTP headers. That would work only if a single
>>> password is required from PAM, but I guess that's a reasonable
>>> trade-off.
>>
>> Hm, but that isn't a sufficient indicator that the client will
>> *actually*
>> reuse the same connection. The connection might close anyway, if there
>> is
>> a crap proxy or NAT timeout while the user is entering their response
>> etc.
>> I think you have to be prepared to be stateless every time, keeping a
>> pool
>> of active PAM sessions and a cookie to match client to session, and a
>> timeout/expiry for them.
>
> That would be tricky. Since ocserv is based on each client having a
> separate process. Being totally stateless would require adding logic
> for clients to "steal" the state of another process. I want to keep
> all clients isolated to keep a simple security model, so I'll try to
> avoid it if possible.

Well not quite allowing clients to arbitrarily steal state from each
other. A separate 'auth server' process could do it  A bit like OpenSSH's
perhaps?


-- 
dwmw2




[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux