On Mon, May 18, 2015 at 1:17 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Mon, 2015-05-18 at 13:13 -0700, Kevin Cernekee wrote: > >> BTW you'll probably want to make sure something in the login form >> (e.g. the password prompt) distinguishes between the alphanumeric >> password entry and the OTP entry. Both for user interaction reasons, >> and because OpenConnect wants to be able to uniquely identify each >> form field in order to save passwords locally. > > That cannot be really done with PAM, or I can't think of a simple way to > do it. You only get prompts with a message, and you don't know if PAM > asks the same password again or a new one. What may be distinct in the > form that ocserv sends is the <message/> field. I might be misinterpreting your response, but it looks like pam_oath does use a distinctive prompt for the OTP: http://spod.cx/blog/two-factor-ssh-auth-with-pam_oath-google-authenticator.shtml username at host:~$ ssh securehost Password: One-time password (OATH) for `username': Last login: Wed Jul 10 22:38:53 2013 from somehost.example.com username at securehost:~$ Or for pam_google_authenticator: https://wiki.archlinux.org/index.php/Google_Authenticator#Testing
