how to make ocserv do totp 2FA?
Wang Jian
larkwang at gmail.com
Mon May 18 10:49:12 PDT 2015
2015-05-19 0:52 GMT+08:00 Nikos Mavrogiannopoulos <nmav at gnutls.org>:
> On Mon, 2015-05-18 at 22:46 +0800, Wang Jian wrote:
>> Hi,
>>
>> I am evaluating VPN with 2FA (w/ TOTP) supports inhouse.
>>
>> Currently, we use openvpn to do static 2FA (w/ shared client certificate), but
>> it's not easy for hundreds of employee scale, and configuration file got leaked
>> easily (actually happened). So this time, we do want to use a solution with less
>> client setup effort.
>> OpenConnect server and client are good starting point, coz openconnect &
>> anyconnect clients all support 2FA.
>>
>> Although multiple factor authentication support is available for
>> ocserv long ago,
>> I can't find docs about how to make static password + totp work for ocserv.Is it
>> possible?
>> Obviously, the current ocserv auth backends don't support such setup. But if I
>> can make client send username, password and 2nd password, I can hack a backend
>> to do password & totp code auth for inhouse use. Anyone can help me out?
>
> Hi,
> I would be surprised if you couldn't use the PAM backend to require two
> passwords, a static and TOTP. If you can make your login in your system
> to ask 2FA then you can do ocserv as well (for HOTP/TOTP at least, U2F
> is another story).
I will try. My question is: when pam prompt for second password, how ocserv
trigger it in client's UI?
The way user inputs just one password which is concat(password, totp) is not I
am looking at.
Regards.
>
> The client certificates approach can be handled entirely within ocserv,
> by stacking two auth methods, (e.g., pam and certificate). Then you
> "only" need to setup a CA to issue certificates and have a process to
> ship smart cards with the certificates to your users.
>
> regards,
> Nikos
>
>
More information about the openconnect-devel
mailing list