Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head
David Woodhouse
dwmw2 at infradead.org
Sun Jan 12 10:13:20 EST 2014
> On 01/12/2014 01:41 PM, David Woodhouse wrote:
>>> Indeed that was the issue and it seems it is now fixed by having
>>> ocserv use a compact authentication method (ask both username
>>> and password in one go) if the client does auth using the
>>> "Connection: Close" HTTP headers. That would work only if a single
>>> password is required from PAM, but I guess that's a reasonable
>>> trade-off.
>>
>> Hm, but that isn't a sufficient indicator that the client will
>> *actually*
>> reuse the same connection. The connection might close anyway, if there
>> is
>> a crap proxy or NAT timeout while the user is entering their response
>> etc.
>> I think you have to be prepared to be stateless every time, keeping a
>> pool
>> of active PAM sessions and a cookie to match client to session, and a
>> timeout/expiry for them.
>
> That would be tricky. Since ocserv is based on each client having a
> separate process. Being totally stateless would require adding logic
> for clients to "steal" the state of another process. I want to keep
> all clients isolated to keep a simple security model, so I'll try to
> avoid it if possible.
Well not quite allowing clients to arbitrarily steal state from each
other. A separate 'auth server' process could do it A bit like OpenSSH's
perhaps?
--
dwmw2
More information about the openconnect-devel
mailing list