Hi, On Fri, Aug 26, 2016 at 12:21:50AM +0200, Steffan Karger wrote: > One thing I think might be useful is a timeout that forces a client to > do a full reauth. I can imagine a company policy that, for example, > requires users to perform a 2FA at least every 4 hours. I'd want to > implement such a policy without stretching the default 1 hour > renegotiate to 4 hours. But that might also be too much of a corner > case which is not worth the extra code...
You just beat me to typing this :-) - right now, our corporate VPN uses
--reneg-sec 28800, because corporate policy says "2FA sessions must be
reauthenticated every 8 hours".
So, with the auth token stuff (which I find immensely amazing :-) ), we
could renegotiate much more often, but then we'd violate policy - so
"generate tokens that are valid for <n> hours" would be a very helpful
addition here.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
------------------------------------------------------------------------------
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
