On Thu, Aug 25, 2016 at 10:15 AM, David Sommerseth < open...@sf.lists.topphemmelig.net> wrote:
> On 25/08/16 15:58, David Woodhouse wrote: > > On Thu, 2016-08-25 at 15:45 +0200, David Sommerseth wrote: > >> > >> > >> I've been working a bit on a new patch-set which enables > >> third-party user/password authentication mechanisms using two > >> factor authentications [2FA] (such as OTP) and not needing to > >> disable the renegotiation features of OpenVPN. > > > > Hm, you handle the server side of OTP through PAM alone? > > This change does not change the initial authentication at all. You > still need an authentication plug-in or --auth-user-pass-verify > script. But once this first authentication passes successfully, the > OpenVPN server takes over the coming authentications required due to > re-negotiations. Why not let the auth-user-pass-verify script do this verification bypass? The server knows whether its an initial CONNECT or REAUTH and can pass that info to the verify script. Then the script can bypass verification if appropriate. Currently management-client-auth is already capable of doing this as "REAUTH" versus "CONNECT" info is passed to it. Adding that to the env and passing to scripts should be easy. Selva
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
