On Mon, May 18, 2015 at 11:51 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Tue, May 19, 2015 at 6:10 AM, Kevin Cernekee <cernekee at gmail.com> wrote: >>> Is that for the input type's label or the message field in config-auth >>> section? >> Label only. AFAICT it is using the message field for display purposes >> only, not as part of the hash. > > I'm wondering whether setting the label to that string or changing the > name would actually help the client. I don't think that's the case. If > you receive a second prompt for a password with the same label/name a > pop up would have to be brought anyway because it is either the first > input password that is wrong, or an otp. Also, even if ocserv would > provide a unique name, it wouldn't help in the otp case if you > remember and send both passwords in batch mode. Maybe it would make > sense to remember only the first password prompt in batch mode, and > become interactive otherwise? Batch mode automatically disables itself if it sees the same exact form twice in a row. If the user changed his password on the remote end but the local end isn't updated, we don't want the app to hammer the server with the old password (and risk locking out the account). I'm not sure if this works 100% perfectly if identical-looking forms are prompting for different information, since we're still trying to cache the password and look it up based on the hash of the form fields.