On Tue, 2015-05-19 at 03:52 +0800, Wang Jian wrote: > >> Hi, > >> I would be surprised if you couldn't use the PAM backend to require two > >> passwords, a static and TOTP. If you can make your login in your system > >> to ask 2FA then you can do ocserv as well (for HOTP/TOTP at least, U2F > >> is another story). > > I will try. My question is: when pam prompt for second password, how ocserv > > trigger it in client's UI? It sends multiple forms and openconnect client presents one by one. You can even change your password over pam with openconnect. > prompt = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Please enter your code") > try: > resp = pamh.conversation(prompt) > except pamh.exception: > return pamh.PAM_SYSTEM_ERR > if resp.resp == '6666': > return pamh.PAM_SUCCESS > else: > return pamh.PAM_USER_UNKNOWN > With this setup, Cisco anyconnect android client will ask username, password and > password again. If all information is correct, the vpn connection is established > successfully. > But OpenConnect android client will fail immediately after prompting > for and get first > password. According to log, I think it's because OC android client > uses first password > directly for second prompt, and fails. Could it be some option remember password? How do the other clients (windows or openconnect in linux) do? regards, Nikos
