2015-05-19 3:57 GMT+08:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>: > On Tue, 2015-05-19 at 03:52 +0800, Wang Jian wrote: > >> >> Hi, >> >> I would be surprised if you couldn't use the PAM backend to require two >> >> passwords, a static and TOTP. If you can make your login in your system >> >> to ask 2FA then you can do ocserv as well (for HOTP/TOTP at least, U2F >> >> is another story). >> > I will try. My question is: when pam prompt for second password, how ocserv >> > trigger it in client's UI? > > It sends multiple forms and openconnect client presents one by one. You > can even change your password over pam with openconnect. > >> prompt = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Please enter your code") >> try: >> resp = pamh.conversation(prompt) >> except pamh.exception: >> return pamh.PAM_SYSTEM_ERR >> if resp.resp == '6666': >> return pamh.PAM_SUCCESS >> else: >> return pamh.PAM_USER_UNKNOWN >> With this setup, Cisco anyconnect android client will ask username, password and >> password again. If all information is correct, the vpn connection is established >> successfully. >> But OpenConnect android client will fail immediately after prompting >> for and get first >> password. According to log, I think it's because OC android client >> uses first password >> directly for second prompt, and fails. > > Could it be some option remember password? How do the other clients > (windows or openconnect in linux) do? > Yes, I retry it. Openconnect android client remember password. So when I switch single password to 2FA, it failed the 2nd password and prompt for the 2nd password, but I can't distingush that and input first password, then it fails immediately and finally. So good news is openconnect android client also works now.
