On Mon, May 18, 2015 at 2:02 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Mon, 2015-05-18 at 13:48 -0700, Kevin Cernekee wrote: >> On Mon, May 18, 2015 at 1:17 PM, Nikos Mavrogiannopoulos >> <nmav at gnutls.org> wrote: >> > On Mon, 2015-05-18 at 13:13 -0700, Kevin Cernekee wrote: >> > >> >> BTW you'll probably want to make sure something in the login form >> >> (e.g. the password prompt) distinguishes between the alphanumeric >> >> password entry and the OTP entry. Both for user interaction reasons, >> >> and because OpenConnect wants to be able to uniquely identify each >> >> form field in order to save passwords locally. >> > >> > That cannot be really done with PAM, or I can't think of a simple way to >> > do it. You only get prompts with a message, and you don't know if PAM >> > asks the same password again or a new one. What may be distinct in the >> > form that ocserv sends is the <message/> field. >> >> I might be misinterpreting your response, but it looks like pam_oath >> does use a distinctive prompt for the OTP: >> >> http://spod.cx/blog/two-factor-ssh-auth-with-pam_oath-google-authenticator.shtml >> >> username at host:~$ ssh securehost >> Password: >> One-time password (OATH) for `username': > > Yes, and that's what you'll see in the message field. Maybe I could hash > that thing, and give a form 'name' that depends on that, but that would > be harder to interpret when the reply is sent. OpenConnect on Android already computes a hash that includes each form label, so it can remember different passwords for account password vs. OTP. It won't send the user's "Password:" password in response to a "One-time password (OATH) for `username':" prompt.