how to make ocserv do totp 2FA?
Kevin Cernekee
cernekee at gmail.com
Mon May 18 13:48:34 PDT 2015
On Mon, May 18, 2015 at 1:17 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Mon, 2015-05-18 at 13:13 -0700, Kevin Cernekee wrote:
>
>> BTW you'll probably want to make sure something in the login form
>> (e.g. the password prompt) distinguishes between the alphanumeric
>> password entry and the OTP entry. Both for user interaction reasons,
>> and because OpenConnect wants to be able to uniquely identify each
>> form field in order to save passwords locally.
>
> That cannot be really done with PAM, or I can't think of a simple way to
> do it. You only get prompts with a message, and you don't know if PAM
> asks the same password again or a new one. What may be distinct in the
> form that ocserv sends is the <message/> field.
I might be misinterpreting your response, but it looks like pam_oath
does use a distinctive prompt for the OTP:
http://spod.cx/blog/two-factor-ssh-auth-with-pam_oath-google-authenticator.shtml
username at host:~$ ssh securehost
Password:
One-time password (OATH) for `username':
Last login: Wed Jul 10 22:38:53 2013 from somehost.example.com
username at securehost:~$
Or for pam_google_authenticator:
https://wiki.archlinux.org/index.php/Google_Authenticator#Testing
More information about the openconnect-devel
mailing list