how to make ocserv do totp 2FA?

Wang Jian larkwang at gmail.com
Tue May 19 01:54:06 PDT 2015


2015-05-19 14:48 GMT+08:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
> On Tue, May 19, 2015 at 4:01 AM, Wang Jian <larkwang at gmail.com> wrote:
>> PAM is mostly for tty usage. For tty applications, it's easy to show
>> prompt verbatim.
>>
>> For VPN GUI, whether suitable to send prompt verbatim is depending.
>> Look at pam.c of ocserv,
> [...]
>> It seems that this can be improved.
>
> Things can always be improved. What do you mean particularly in that case?

diff --git a/src/auth/pam.c b/src/auth/pam.c
index f224016..d82e630 100644
--- a/src/auth/pam.c
+++ b/src/auth/pam.c
@@ -85,6 +85,8 @@ unsigned i;
                                if (pctx->sent_msg == 0) {
                                        /* no message, just asking for
password */
                                        str_reset(&pctx->msg);
+                                       str_append_str(&pctx->msg, msg[i]->msg);
+                                       str_append_data(&pctx->msg, " ", 1);
                                        pctx->sent_msg = 1;
                                }
                                pctx->state = PAM_S_WAIT_FOR_PASS;


with above patch, I can get "Please input your code" prompt as I wish. But this
is superficial.

OpenConnect android client can remember password, according to XML auth
form field name. But currently, multiple password uses the same field name, so
it will be confusing for the app and users.

Look at this doc: https://www.duosecurity.com/docs/cisco-faq
The auth form has 2 password fields, so 2 passwords (static and totp) can
be input in one go. But remembering password will not work well; actually,
anyconnect client doesn't remember password at all.

ocserv can get 2 passwords in 2 steps, with different field names. So client
can be set to remember these 2 passwords or not, separately.

To achieve the purpose, it's better to provide a stub backend (embedded
python or lua, etc), and extending it using script.
(actually, using pam_python, with above patch, it's nearly finished).

And src/worker-auth.c, XML auth form and processing should be extended
for field PASSWORD2.

int post_auth_handler(worker_st * ws, unsigned http_ver);
int get_auth_handler2(worker_st * ws, unsigned http_ver, const char *pmsg);



More information about the openconnect-devel mailing list