On Mon, 2015-05-18 at 13:48 -0700, Kevin Cernekee wrote: > On Mon, May 18, 2015 at 1:17 PM, Nikos Mavrogiannopoulos > <nmav at gnutls.org> wrote: > > On Mon, 2015-05-18 at 13:13 -0700, Kevin Cernekee wrote: > > > >> BTW you'll probably want to make sure something in the login form > >> (e.g. the password prompt) distinguishes between the alphanumeric > >> password entry and the OTP entry. Both for user interaction reasons, > >> and because OpenConnect wants to be able to uniquely identify each > >> form field in order to save passwords locally. > > > > That cannot be really done with PAM, or I can't think of a simple way to > > do it. You only get prompts with a message, and you don't know if PAM > > asks the same password again or a new one. What may be distinct in the > > form that ocserv sends is the <message/> field. > > I might be misinterpreting your response, but it looks like pam_oath > does use a distinctive prompt for the OTP: > > http://spod.cx/blog/two-factor-ssh-auth-with-pam_oath-google-authenticator.shtml > > username at host:~$ ssh securehost > Password: > One-time password (OATH) for `username': Yes, and that's what you'll see in the message field. Maybe I could hash that thing, and give a form 'name' that depends on that, but that would be harder to interpret when the reply is sent.