how to make ocserv do totp 2FA?

Kevin Cernekee cernekee at gmail.com
Tue May 19 07:26:06 PDT 2015


On Mon, May 18, 2015 at 11:51 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Tue, May 19, 2015 at 6:10 AM, Kevin Cernekee <cernekee at gmail.com> wrote:
>>> Is that for the input type's label or the message field in config-auth
>>> section?
>> Label only.  AFAICT it is using the message field for display purposes
>> only, not as part of the hash.
>
> I'm wondering whether setting the label to that string or changing the
> name would actually help the client. I don't think that's the case. If
> you receive a second prompt for a password with the same label/name a
> pop up would have to be brought anyway because it is either the first
> input password that is wrong, or an otp. Also, even if ocserv would
> provide a unique name, it wouldn't help in the otp case if you
> remember and send both passwords in batch mode. Maybe it would make
> sense to remember only the first password prompt in batch mode, and
> become interactive otherwise?

Batch mode automatically disables itself if it sees the same exact
form twice in a row.  If the user changed his password on the remote
end but the local end isn't updated, we don't want the app to hammer
the server with the old password (and risk locking out the account).

I'm not sure if this works 100% perfectly if identical-looking forms
are prompting for different information, since we're still trying to
cache the password and look it up based on the hash of the form
fields.



More information about the openconnect-devel mailing list