Re: [Openvpn-devel] [PATCH v2 4/5] Implement sending SSO challenge to clients

Fri, 15 May 2020 08:41:27 -0700 

On 15/05/2020 17:36, David Sommerseth wrote:
> On 09/11/2019 16:13, Arne Schwabe wrote:
>> This implements sending AUTH_PENDING and INFO_PRE messages to clients
>> that indicate that the clients should be continue authentication with
>> a second factor. This can currently be out of band (openurl) or a normal
>> challenge/response 2FA like TOTP (CR_TEXT).
> 
> Can we settle on a single CR_TEXT vs CRTEXT terminology?  The 3/5 patch used
> crtext in the documentation but cr_text in the commit message.
> 
>> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
>> ---
>>  doc/management-notes.txt | 26 +++++++++++++++++++++++
>>  src/openvpn/manage.c     | 46 ++++++++++++++++++++++++++++++++++++++++
>>  src/openvpn/manage.h     |  3 +++
>>  src/openvpn/multi.c      | 19 +++++++++++++++++
>>  src/openvpn/push.c       | 24 +++++++++++++++++++++
>>  src/openvpn/push.h       |  2 ++
>>  6 files changed, 120 insertions(+)
>>
>> diff --git a/doc/management-notes.txt b/doc/management-notes.txt
>> index e380ca2b..4b405a9b 100644
>> --- a/doc/management-notes.txt
>> +++ b/doc/management-notes.txt
>> @@ -592,6 +592,32 @@ interface to approve client connections.
>>  CID,KID -- client ID and Key ID.  See documentation for ">CLIENT:"
>>  notification for more info.
>>  
>> +COMMAND -- client-sso-auth  (OpenVPN 2.5 or higher)
>> +----------------------------------------------------
>> +
>> +Instruct OpenVPN server to send AUTH_PENDING and INFO_PRE signal
>> +a single sign on url to the client.
>> +
>> +    client-sso-auth {CID} {EXTRA}
> 
> I think we should use a different naming for this than 'sso'.  This is not
> tied to only SSO (Single Sign-On).  What about:
> 
>  - client-extended-auth
>  - client-external-auth
>  - client-ext-auth
>  - client-additional-auth
>  - client-xauth

Another alternative popped up in my head, as CR/Challenge-Response is used a
lot in this context .... client-cr-auth  .... but all of them are just
suggestions to avoid the 'sso' reference.

> 
> As long as the name is quite generic, I'm fine with most alternatives.  But it
> should be very generic.  We have so many alternative auth methods these days:
> Yubico OTP [1], TOTP/HOTP, FIDO/U2F, SAML, OAuth, Kerberos/GSSAPI, etc ...
> 
> [1] <https://developers.yubico.com/OTP/OTPs_Explained.html>

-- 
kind regards,

David Sommerseth
OpenVPN Inc



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to