Hi, Indeed, it works with a passcode entry. However the push notification on mobile device is really nice for the user experience. How difficult would it be to move ocserv's security module to a multi-threaded architecture ? Is it a complete rework ? I'm also getting in touch with a DUO software engineer to grab more info on this issue. Regards, Florian D. Le mar. 14 janv. 2020 à 09:04, Nikos Mavrogiannopoulos <n.mavrogiannopoulos@xxxxxxxxx> a écrit : > > On Mon, Jan 13, 2020 at 4:55 PM Florian Domain <domain.florian@xxxxxxxxx> wrote: > > > > Hi Nikos, > > > > Thanks for your reply. > > > > I did some tests with two users trying to connect at the same time, > > and ocserv is not blocking at username/password/LDAP stages, but only > > when duo has sent its notification to user's device. So as you said, > > it may be a limitation of the duo PAM module. > > Interesting. Seeing the log it may be that this module blocks until a > response has been received off-the-line. That means that ocserv's > architecture of co-routines for PAM cannot really accommodate it for > multiple users. The module itself can be changed to ask for a user > confirmation on PIN entry similarly to asking for a password but > accepting any input (inconvenient but it will allow multiple users to > login), or alternatively ocserv's security module could be moved to a > multi-threaded architecture (for PAM only or for all requests). > > regards, > Nikos _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
