how to make ocserv do totp 2FA?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



2015-05-19 0:52 GMT+08:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
> On Mon, 2015-05-18 at 22:46 +0800, Wang Jian wrote:
>> Hi,
>>
>> I am evaluating VPN with 2FA (w/ TOTP) supports inhouse.
>>
>> Currently, we use openvpn to do static 2FA (w/ shared client certificate), but
>> it's not easy for hundreds of employee scale, and configuration file got leaked
>> easily (actually happened). So this time, we do want to use a solution with less
>> client setup effort.
>> OpenConnect server and client are good starting point, coz openconnect &
>> anyconnect clients all support 2FA.
>>
>> Although multiple factor authentication support is available for
>> ocserv long ago,
>> I can't find docs about how to make static password + totp work for ocserv.Is it
>> possible?
>> Obviously, the current ocserv auth backends don't support such setup. But if I
>> can make client send username, password and 2nd password, I can hack a backend
>> to do password & totp code auth for inhouse use. Anyone can help me out?
>
> Hi,
>  I would be surprised if you couldn't use the PAM backend to require two
> passwords, a static and TOTP. If you can make your login in your system
> to ask 2FA then you can do ocserv as well (for HOTP/TOTP at least, U2F
> is another story).

I will try. My question is: when pam prompt for second password, how ocserv
trigger it in client's UI?

The way user inputs just one password which is concat(password, totp) is not I
am looking at.

Regards.

>
> The client certificates approach can be handled entirely within ocserv,
> by stacking two auth methods, (e.g., pam and certificate). Then you
> "only" need to setup a CA to issue certificates and have a process to
> ship smart cards with the certificates to your users.
>
> regards,
> Nikos
>
>



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux