2015-05-19 1:49 GMT+08:00 Wang Jian <larkwang at gmail.com>: > 2015-05-19 0:52 GMT+08:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>: >> On Mon, 2015-05-18 at 22:46 +0800, Wang Jian wrote: >>> Hi, >>> >>> I am evaluating VPN with 2FA (w/ TOTP) supports inhouse. >>> >>> Currently, we use openvpn to do static 2FA (w/ shared client certificate), but >>> it's not easy for hundreds of employee scale, and configuration file got leaked >>> easily (actually happened). So this time, we do want to use a solution with less >>> client setup effort. >>> OpenConnect server and client are good starting point, coz openconnect & >>> anyconnect clients all support 2FA. >>> >>> Although multiple factor authentication support is available for >>> ocserv long ago, >>> I can't find docs about how to make static password + totp work for ocserv.Is it >>> possible? >>> Obviously, the current ocserv auth backends don't support such setup. But if I >>> can make client send username, password and 2nd password, I can hack a backend >>> to do password & totp code auth for inhouse use. Anyone can help me out? >> >> Hi, >> I would be surprised if you couldn't use the PAM backend to require two >> passwords, a static and TOTP. If you can make your login in your system >> to ask 2FA then you can do ocserv as well (for HOTP/TOTP at least, U2F >> is another story). > > I will try. My question is: when pam prompt for second password, how ocserv > trigger it in client's UI? > > The way user inputs just one password which is concat(password, totp) is not I > am looking at. > Ok, I write a simple pam-python script to test. #/etc/pam.d/ocserv auth required pam_krb5.so auth required pam_python.so /etc/ocserv/pam/pam_totp.py That is, authenticate using kerberos first, then check totp code. #/etc/ocserv/pam/pam_totp.py def pam_sm_authenticate(pamh, flags, argv): try: username = pamh.get_user() except pamh.exception: username = None if username == None: return pamh.PAM_USER_UNKNOWN prompt = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Please enter your code") try: resp = pamh.conversation(prompt) except pamh.exception: return pamh.PAM_SYSTEM_ERR if resp.resp == '6666': return pamh.PAM_SUCCESS else: return pamh.PAM_USER_UNKNOWN With this setup, Cisco anyconnect android client will ask username, password and password again. If all information is correct, the vpn connection is established successfully. But OpenConnect android client will fail immediately after prompting for and get first password. According to log, I think it's because OC android client uses first password directly for second prompt, and fails. That is the very question I ask at first.