how to make ocserv do totp 2FA?
Kevin Cernekee
cernekee at gmail.com
Mon May 18 14:16:52 PDT 2015
On Mon, May 18, 2015 at 2:02 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Mon, 2015-05-18 at 13:48 -0700, Kevin Cernekee wrote:
>> On Mon, May 18, 2015 at 1:17 PM, Nikos Mavrogiannopoulos
>> <nmav at gnutls.org> wrote:
>> > On Mon, 2015-05-18 at 13:13 -0700, Kevin Cernekee wrote:
>> >
>> >> BTW you'll probably want to make sure something in the login form
>> >> (e.g. the password prompt) distinguishes between the alphanumeric
>> >> password entry and the OTP entry. Both for user interaction reasons,
>> >> and because OpenConnect wants to be able to uniquely identify each
>> >> form field in order to save passwords locally.
>> >
>> > That cannot be really done with PAM, or I can't think of a simple way to
>> > do it. You only get prompts with a message, and you don't know if PAM
>> > asks the same password again or a new one. What may be distinct in the
>> > form that ocserv sends is the <message/> field.
>>
>> I might be misinterpreting your response, but it looks like pam_oath
>> does use a distinctive prompt for the OTP:
>>
>> http://spod.cx/blog/two-factor-ssh-auth-with-pam_oath-google-authenticator.shtml
>>
>> username at host:~$ ssh securehost
>> Password:
>> One-time password (OATH) for `username':
>
> Yes, and that's what you'll see in the message field. Maybe I could hash
> that thing, and give a form 'name' that depends on that, but that would
> be harder to interpret when the reply is sent.
OpenConnect on Android already computes a hash that includes each form
label, so it can remember different passwords for account password vs.
OTP. It won't send the user's "Password:" password in response to a
"One-time password (OATH) for `username':" prompt.
More information about the openconnect-devel
mailing list