how to make ocserv do totp 2FA?

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed May 20 02:46:40 PDT 2015


On Tue, May 19, 2015 at 4:26 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
> Batch mode automatically disables itself if it sees the same exact
> form twice in a row.  If the user changed his password on the remote
> end but the local end isn't updated, we don't want the app to hammer
> the server with the old password (and risk locking out the account).
> I'm not sure if this works 100% perfectly if identical-looking forms
> are prompting for different information, since we're still trying to
> cache the password and look it up based on the hash of the form
> fields.

[resending to list too]
Currently, I've modified ocserv to send name=password for the first
asked password and name=password1 for the second. Label and type
remain the same. However, the cisco client fails when it encounters
the "password1" name. It has to be called password for it to work. Do
you know if there are other names or types that are acceptable to it?
Do you have some http log when the cisco server is configured with an
additional OTP?

regards,
Nikos



More information about the openconnect-devel mailing list