how to make ocserv do totp 2FA?
Nikos Mavrogiannopoulos
nmav at gnutls.org
Mon May 18 14:02:15 PDT 2015
On Mon, 2015-05-18 at 13:48 -0700, Kevin Cernekee wrote:
> On Mon, May 18, 2015 at 1:17 PM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
> > On Mon, 2015-05-18 at 13:13 -0700, Kevin Cernekee wrote:
> >
> >> BTW you'll probably want to make sure something in the login form
> >> (e.g. the password prompt) distinguishes between the alphanumeric
> >> password entry and the OTP entry. Both for user interaction reasons,
> >> and because OpenConnect wants to be able to uniquely identify each
> >> form field in order to save passwords locally.
> >
> > That cannot be really done with PAM, or I can't think of a simple way to
> > do it. You only get prompts with a message, and you don't know if PAM
> > asks the same password again or a new one. What may be distinct in the
> > form that ocserv sends is the <message/> field.
>
> I might be misinterpreting your response, but it looks like pam_oath
> does use a distinctive prompt for the OTP:
>
> http://spod.cx/blog/two-factor-ssh-auth-with-pam_oath-google-authenticator.shtml
>
> username at host:~$ ssh securehost
> Password:
> One-time password (OATH) for `username':
Yes, and that's what you'll see in the message field. Maybe I could hash
that thing, and give a form 'name' that depends on that, but that would
be harder to interpret when the reply is sent.
More information about the openconnect-devel
mailing list