On Thursday, 15 June 2017 12:05:49 AM AEST David Sommerseth wrote: > On 14/06/17 15:32, Steven Haigh wrote: > > Hi all, > > > > No further comments or requests on the openvpn-users lists. > > Reposting here for further criticism / comments :) > > > > I did have one thought though, do I need to put any kind of banner > > at the top of the script as a 'maintainer' or such? > > I have actually quickly tested this script, and it works fine with my > yubikey test token. > > One remark which needs to be highlighted is that this implementation > uses single-factor OTP authentication. But the OTP code used in this > mode is fairly long, so it is reasonably secure (and still far better > than static human passwords). The token codes are generated using > keying material which is pre-loaded to a Yubikco server - which > essentially provides the authentication via a HTTPS request. > > I think this is a reasonably good starting point. > > What is needed is to have some kind of copyright header in the top of > the file (as a "larger" comment block). This copyright needs to carry > a license which is compatible to GPLv2. You can put yourself as the > copyright holder, which implicitly puts you as a maintainer and > contact person if there are issues. > > What would be good in addition is to either inside this Perl script or > as a README file describing what you need to do to get this working. > Reasonable "talking points" could be: > > - Configuring your Yubikey token (at least point at Yubikey docs) > - Emphasize that the token must be registered at YubiCloud (or the > validation server being used) > - Highlight what needs to be changed in the Perl script > to enable new users. > > For more advanced topics ... using your own Yubikey validation server, > like using this one: <https://developers.yubico.com/yubikey-val/>
I've taken this onboard. I've added the following text to the top of the script: # Copyright (c) 2017 Steven Haigh <net...@crc.id.au> # https://www.crc.id.au # Licensed under the GPL version 2 # PURPOSE: This script automatically can be used to handle authentication # of Yubikey enabled accounts for One Time Password (OTP) use. # INSTALL NOTES: # Place this script in /etc/openvpn and use the following in your server # configuration file: # script-security 2 # client-connect /etc/openvpn/yubikey-auth-tokens # auth-user-pass-verify /etc/openvpn/yubikey-auth-tokens via-file # client-cert-not-required # If you wish to use Client Certificate + username + OTP for authentication # exclude the 'client-cert-not-required' option and use any other guide on # how to manage the certificate side of authentication. # USAGE NOTES: # To set up your Yubikey in Yubico OTP mode, use the personalisation tool # in "Yubico OTP mode", and choose 'Quick' setup. Be sure to generate new # values and then use the 'Upload to Yubico' to activate your key within # the Yubico Validation Server. # Edit the %yubikeys definition below to include your chosen username and # the first 12 digits of one of your Yubico OTP passwords. # If you have a Yubico API ID, you may substitute the $yubico_id value # for your own, or use the default '16'. # ------------------ CODE BEGINS HERE ----------------- -- Steven Haigh 📧 net...@crc.id.au 💻 http://www.crc.id.au 📞 +61 (3) 9001 6090 📱 0412 935 897
signature.asc
Description: This is a digitally signed message part.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
