Unable to connect from AnyConnect 3.0 and 3.1 Windows Clients to ocserv 0.2.4 and git head

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Jan 12 11:51:54 EST 2014


On 01/12/2014 04:13 PM, David Woodhouse wrote:

>> That would be tricky. Since ocserv is based on each client having a
>> separate process. Being totally stateless would require adding logic
>> for clients to "steal" the state of another process. I want to keep
>> all clients isolated to keep a simple security model, so I'll try to
>> avoid it if possible.
> Well not quite allowing clients to arbitrarily steal state from each
> other. A separate 'auth server' process could do it  A bit like OpenSSH's
> perhaps?

This is the way ocserv works, there is the main process that handles
authentication and the worker processes that do the unprivileged stuff.
But keeping the protocol simple makes it easy to secure and avoid bugs
that could lead to authentication compromise.

regards,
Nikos




More information about the openconnect-devel mailing list