recvmsg: Connection timed out (when dual auth)

Nux! nux at li.nux.ro
Thu Sep 15 02:33:03 PDT 2016 

Hello,

I have patched ocserv and rebuilt the EPEL rpm, however no luck.

I am counting 12 seconds since I first input the password in AnyConnect client till AnyConnect prompts again for one.
I would imagine the 10s timeout still kicks in somehow and the 2s difference is client overhead.

I ran ocserv with debug 999 and here is the log, if it helps.
http://paste.fedoraproject.org/428276/73931471/

10s is barely usable; by the time I grab my phone, unlock and approve the login in the Duo app.. there's no room for error, a less technical user might not be as fast.

Glad to test out other patches and options.

--
Sent from the Delta quadrant using Borg technology!

Nux!
www.nux.ro

----- Original Message -----
> From: "Nikos Mavrogiannopoulos" <n.mavrogiannopoulos at gmail.com>
> To: "Nux!" <nux at li.nux.ro>
> Cc: "openconnect-devel" <openconnect-devel at lists.infradead.org>
> Sent: Thursday, 15 September, 2016 07:39:34
> Subject: Re: recvmsg: Connection timed out (when dual auth)

> On Wed, Sep 14, 2016 at 4:58 PM, Nux! <nux at li.nux.ro> wrote:
>> Hello,
>> While getting PAM to talk to both Radius and Duo is still not solved, I managed
>> to install the Duo proxy software which acts like a local RADIUS client; in the
>> background it checks both our RADIUS server in the LAN and DUO's 2FA service.
>>
>> All good and well, I can connect with my RADIUS password and the DUO application
>> on my mobile asks for approval, but unless I'm really quick with the approval
>> the auth fails. It must be something like 5 seconds max.
>> I tried specifying "auth-timeout = 30" in ocserv.conf to give me more time, but
>> it doesn't seem to fix the issue.
>>
>> Any ideas?
>>
>> ocserv[7916]: radius-auth: communicating username (foobar) and password
>> ocserv[7922]: common.c:609: recvmsg: Connection timed out
>> ocserv[7922]: worker: 172.16.5.34 worker-auth.c:688: error receiving auth reply
>> message
> 
> That seems to be in the communication between the worker process and
> the security module process. I guess that you have to type your reply
> before the worker thinks that the security module is stuck providing
> its response, that's by default 10 secs.
> 
> Does this address your issue?
> https://gitlab.com/ocserv/ocserv/commit/ede5d97be86cf94f5e88cccc850f3626295f9028
> 
> 
> regards,
> Nikos

More information about the openconnect-devel mailing list