Hi Gert,
Gert Doering wrote:
Hi,
On Tue, Aug 13, 2013 at 11:44:52PM +0200, Jan Just Keijser wrote:
???????? ?????????????? wrote:
we are using "auth-user-pass-verify /etc/openvpn/blah-blah-blah.sh
via-env" and user/password authentication is done by external program.
it can be adopted to one time password as well.
interesting - is there Unix/Linux support for these things?
For the RSA SecureID stuff, at least for AIX and Linux, there are libraries
available to authenticate against the server given username+code - I'm not
sure how it works in detail, but I found it a pain to work with.
We use something else called "Kobil SecOVID", which is not time-based
but "press the button, get an OTP token" based - but the principle is
similar. The Kobil auth server speaks RADIUS, so our OpenVPN server
uses plugin-auth-pam to authenticate vs. PAM, and then pam_radius to
talk to the Kobil server - it could use the openvpn radius plugin as
well, but back in the day, that was more complicated to setup.
I think I confused myself a bit here - it's not that difficult to use
the OTP part of the RSA SecurIDs, but I happen to have a RSA USB token
that does both the OTP stuff but is also a PKCS11 device - it's Linux
drivers for the PKCS11 stuff which have always been missing.
cheers,
JJK
------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
