how to make ocserv do totp 2FA?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2015-05-18 at 22:46 +0800, Wang Jian wrote:
> Hi,
> 
> I am evaluating VPN with 2FA (w/ TOTP) supports inhouse.
> 
> Currently, we use openvpn to do static 2FA (w/ shared client certificate), but
> it's not easy for hundreds of employee scale, and configuration file got leaked
> easily (actually happened). So this time, we do want to use a solution with less
> client setup effort.
> OpenConnect server and client are good starting point, coz openconnect &
> anyconnect clients all support 2FA.
> 
> Although multiple factor authentication support is available for
> ocserv long ago,
> I can't find docs about how to make static password + totp work for ocserv.Is it
> possible?
> Obviously, the current ocserv auth backends don't support such setup. But if I
> can make client send username, password and 2nd password, I can hack a backend
> to do password & totp code auth for inhouse use. Anyone can help me out?

Hi,
 I would be surprised if you couldn't use the PAM backend to require two
passwords, a static and TOTP. If you can make your login in your system
to ask 2FA then you can do ocserv as well (for HOTP/TOTP at least, U2F
is another story).

The client certificates approach can be handled entirely within ocserv,
by stacking two auth methods, (e.g., pam and certificate). Then you
"only" need to setup a CA to issue certificates and have a process to
ship smart cards with the certificates to your users.

regards,
Nikos





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux