> On 01/12/2014 01:41 PM, David Woodhouse wrote: >>> Indeed that was the issue and it seems it is now fixed by having >>> ocserv use a compact authentication method (ask both username >>> and password in one go) if the client does auth using the >>> "Connection: Close" HTTP headers. That would work only if a single >>> password is required from PAM, but I guess that's a reasonable >>> trade-off. >> >> Hm, but that isn't a sufficient indicator that the client will >> *actually* >> reuse the same connection. The connection might close anyway, if there >> is >> a crap proxy or NAT timeout while the user is entering their response >> etc. >> I think you have to be prepared to be stateless every time, keeping a >> pool >> of active PAM sessions and a cookie to match client to session, and a >> timeout/expiry for them. > > That would be tricky. Since ocserv is based on each client having a > separate process. Being totally stateless would require adding logic > for clients to "steal" the state of another process. I want to keep > all clients isolated to keep a simple security model, so I'll try to > avoid it if possible. Well not quite allowing clients to arbitrarily steal state from each other. A separate 'auth server' process could do it A bit like OpenSSH's perhaps? -- dwmw2
