On Mon, 2015-05-18 at 22:46 +0800, Wang Jian wrote: > Hi, > > I am evaluating VPN with 2FA (w/ TOTP) supports inhouse. > > Currently, we use openvpn to do static 2FA (w/ shared client certificate), but > it's not easy for hundreds of employee scale, and configuration file got leaked > easily (actually happened). So this time, we do want to use a solution with less > client setup effort. > OpenConnect server and client are good starting point, coz openconnect & > anyconnect clients all support 2FA. > > Although multiple factor authentication support is available for > ocserv long ago, > I can't find docs about how to make static password + totp work for ocserv.Is it > possible? > Obviously, the current ocserv auth backends don't support such setup. But if I > can make client send username, password and 2nd password, I can hack a backend > to do password & totp code auth for inhouse use. Anyone can help me out? Hi, I would be surprised if you couldn't use the PAM backend to require two passwords, a static and TOTP. If you can make your login in your system to ask 2FA then you can do ocserv as well (for HOTP/TOTP at least, U2F is another story). The client certificates approach can be handled entirely within ocserv, by stacking two auth methods, (e.g., pam and certificate). Then you "only" need to setup a CA to issue certificates and have a process to ship smart cards with the certificates to your users. regards, Nikos
