how to make ocserv do totp 2FA?

[Wang Jian]

2015-05-19 3:57 GMT+08:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
> On Tue, 2015-05-19 at 03:52 +0800, Wang Jian wrote:
>
>> >> Hi,
>> >>  I would be surprised if you couldn't use the PAM backend to require two
>> >> passwords, a static and TOTP. If you can make your login in your system
>> >> to ask 2FA then you can do ocserv as well (for HOTP/TOTP at least, U2F
>> >> is another story).
>> > I will try. My question is: when pam prompt for second password, how ocserv
>> > trigger it in client's UI?
>
> It sends multiple forms and openconnect client presents one by one. You
> can even change your password over pam with openconnect.
>
>>     prompt = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Please enter your code")
>>     try:
>>         resp = pamh.conversation(prompt)
>>     except pamh.exception:
>>         return pamh.PAM_SYSTEM_ERR
>>     if resp.resp == '6666':
>>         return pamh.PAM_SUCCESS
>>     else:
>>         return pamh.PAM_USER_UNKNOWN
>> With this setup, Cisco anyconnect android client will ask username, password and
>> password again. If all information is correct, the vpn connection is established
>> successfully.
>> But OpenConnect android client will fail immediately after prompting
>> for and get first
>> password. According to log, I think it's because OC android client
>> uses first password
>> directly for second prompt, and fails.
>
> Could it be some option remember password? How do the other clients
> (windows or openconnect in linux) do?
>

Yes, I retry it. Openconnect android client remember password. So when I switch
single password to 2FA, it failed the 2nd password and prompt for the 2nd
password, but I can't distingush that and input first password, then it fails
immediately and finally.

So good news is openconnect android client also works now.