how to make ocserv do totp 2FA?

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon May 18 12:57:11 PDT 2015


On Tue, 2015-05-19 at 03:52 +0800, Wang Jian wrote:

> >> Hi,
> >>  I would be surprised if you couldn't use the PAM backend to require two
> >> passwords, a static and TOTP. If you can make your login in your system
> >> to ask 2FA then you can do ocserv as well (for HOTP/TOTP at least, U2F
> >> is another story).
> > I will try. My question is: when pam prompt for second password, how ocserv
> > trigger it in client's UI?

It sends multiple forms and openconnect client presents one by one. You
can even change your password over pam with openconnect.

>     prompt = pamh.Message(pamh.PAM_PROMPT_ECHO_OFF, "Please enter your code")
>     try:
>         resp = pamh.conversation(prompt)
>     except pamh.exception:
>         return pamh.PAM_SYSTEM_ERR
>     if resp.resp == '6666':
>         return pamh.PAM_SUCCESS
>     else:
>         return pamh.PAM_USER_UNKNOWN
> With this setup, Cisco anyconnect android client will ask username, password and
> password again. If all information is correct, the vpn connection is established
> successfully.
> But OpenConnect android client will fail immediately after prompting
> for and get first
> password. According to log, I think it's because OC android client
> uses first password
> directly for second prompt, and fails.

Could it be some option remember password? How do the other clients
(windows or openconnect in linux) do?

regards,
Nikos





More information about the openconnect-devel mailing list