Hi, On Thu, Dec 22, 2016 at 11:26:14AM -0500, Selva Nair wrote: > On Sat, Dec 17, 2016 at 5:13 AM, Gert Doering <g...@greenie.muc.de> wrote: > > > (Main reason we can't stick to BF-CBC is that we use OTP passwords and > > with "reneg-bytes 64M" it's asking way too often for user+password...) > > If I may ask, assuming you use username/password + OTP, how do you do > auth-user-pass-verify on the server? A custom script or plugin? Asking this > because I want to retire a script and replace it with something better. I > use PAM so extending the auth-pam plugin to handle password and otp > (eventually even dynamic challenge) may be the way to go?
We currently use plugin-auth-pam which talks to pam_radius, and that
one talks to a Kobil Secure-something server that does the actual OTP
validation.
The reason we do it that way is "it worked" :-) - and we use the same
authentication backend for SSH, so pam_radius solved both OpenVPN and
SSH authentication in one go. Using radiusplugin might have been
nicer for OpenVPN, but "openvpn only".
We do not use challenge (static or dynamic) today, as we did not know
that these exist when building the system - so the user enters
his "token + PIN" as one string into the "Password:" field, and the
Kobil RADIUS backend knows which bits are which.
Challenge would definitely be nicer, but I totally lack time to work on
that - "it works as it is", so the pressure to build something "better"
is small.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
