2015-05-19 0:52 GMT+08:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>: > On Mon, 2015-05-18 at 22:46 +0800, Wang Jian wrote: >> Hi, >> >> I am evaluating VPN with 2FA (w/ TOTP) supports inhouse. >> >> Currently, we use openvpn to do static 2FA (w/ shared client certificate), but >> it's not easy for hundreds of employee scale, and configuration file got leaked >> easily (actually happened). So this time, we do want to use a solution with less >> client setup effort. >> OpenConnect server and client are good starting point, coz openconnect & >> anyconnect clients all support 2FA. >> >> Although multiple factor authentication support is available for >> ocserv long ago, >> I can't find docs about how to make static password + totp work for ocserv.Is it >> possible? >> Obviously, the current ocserv auth backends don't support such setup. But if I >> can make client send username, password and 2nd password, I can hack a backend >> to do password & totp code auth for inhouse use. Anyone can help me out? > > Hi, > I would be surprised if you couldn't use the PAM backend to require two > passwords, a static and TOTP. If you can make your login in your system > to ask 2FA then you can do ocserv as well (for HOTP/TOTP at least, U2F > is another story). I will try. My question is: when pam prompt for second password, how ocserv trigger it in client's UI? The way user inputs just one password which is concat(password, totp) is not I am looking at. Regards. > > The client certificates approach can be handled entirely within ocserv, > by stacking two auth methods, (e.g., pam and certificate). Then you > "only" need to setup a CA to issue certificates and have a process to > ship smart cards with the certificates to your users. > > regards, > Nikos > >
