> > This will accept an empty CR_RESPONSE from the client. Could that be an > acceptable reply from the client? My initial thought is: When the server > sends a challenge to the client, it should have a "meaningful" response. I > struggle to see where an empty response would be meaningful.
Enter your second TOTP to gain additional privileges. User jsut presses enter and you then only get bare minimum VPN access. > > And by "meaningful" I mean in the broadest interpretation. Invalid > authentication response, invalid data (not base64 encoded, etc) is meaningful. > > I'm also wondering if it would make sense to validate the base64 response as > well. > > > To summarize all patches: > > - They all look reasonable and fine, but there are a few things to improve. > > - We should avoid the SSO terminology in the implementation; it can be used > for a much broader authentication scope than just SSO. Patch 2/5 also needs > to be revisited, despite the ACK I've already given. > > - Documentation could be a bit better. > > - It would be nice to have a really simple test "module" for the server side, > which would just give challenges like "How much is X + Y?" where X and Y are > random numbers (1-10) and doesn't really need to account for multiple > clients at the same time. But I do realize the management interface can be > annoying to work with from simple scripting tools. I would rather give an example using connect/auth scripts and then a script hook that can be called on receiving the CR_RESPONSE message. But I want to wait until the deferred client connect patches are in before doing that as they might touch the same code. Implement a small e.g. python based management interface might also be possible but it would be an example that does a lot more than just that because you a bit more to have a something working with the management interface Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
