how to make ocserv do totp 2FA?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2015-05-18 at 13:48 -0700, Kevin Cernekee wrote:
> On Mon, May 18, 2015 at 1:17 PM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
> > On Mon, 2015-05-18 at 13:13 -0700, Kevin Cernekee wrote:
> >
> >> BTW you'll probably want to make sure something in the login form
> >> (e.g. the password prompt) distinguishes between the alphanumeric
> >> password entry and the OTP entry.  Both for user interaction reasons,
> >> and because OpenConnect wants to be able to uniquely identify each
> >> form field in order to save passwords locally.
> >
> > That cannot be really done with PAM, or I can't think of a simple way to
> > do it. You only get prompts with a message, and you don't know if PAM
> > asks the same password again or a new one. What may be distinct in the
> > form that ocserv sends is the <message/> field.
> 
> I might be misinterpreting your response, but it looks like pam_oath
> does use a distinctive prompt for the OTP:
> 
> http://spod.cx/blog/two-factor-ssh-auth-with-pam_oath-google-authenticator.shtml
> 
> username at host:~$ ssh securehost
> Password:
> One-time password (OATH) for `username':

Yes, and that's what you'll see in the message field. Maybe I could hash
that thing, and give a form 'name' that depends on that, but that would
be harder to interpret when the reply is sent.





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux