Hi, On Fri, May 05, 2023 at 10:24:08AM +0200, Ralf Hildebrandt via Openvpn-users wrote: > * Gert Doering <g...@greenie.muc.de>: > > > - actually *changing* the auth-token-user from an original > > username/password > > authentication - it runs into the same problem, but this might be > > workaroundable by not actually pushing a new "user". So, question to > > you, what is the intention behind changing the username here? > > We thought of giving a user (using TOPT/HOTP) with multiple devices > DIFERRENT usernames in the VPN. But in hindsight it's unclear if > that's needed at all.
For OpenVPN server-generated tokens it's not a requirement (the token
is tied to the username, so you can't use it for "another" user - you
could theoretically connect with "client machine A" and use the received
token for "client machine B", but since it's all you, not much to gain)
If you generate the tokens "outside" and need to tie them to the "proper"
username (so the reauthentication from $mobile will not invalidate a
single-use token for $laptop), this might indeed be needed...
OpenVPN server-generated tokens are (basically) time+secret based,
and can be reused as long as the time range in the token is valid
(and the secret assures that the token is not manipulated).
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
