On 06/04/17 00:30, debbie10t wrote: > > One final clarification: > > As a user, I would prefer to see an early 2fa re-connect than one in > the final few minutes, especially if I am already accustomed to a one > hour cut off. Such that, I do 45 mins of work and get cut off is more > annoying then doing 15 mins and get cut off.
This doesn't make much sense to me, to be honest. At least all those 2FA approaches I've used (both hardware and software tokens) usually have a life time of 30 seconds for each token. So unless the user types username and the new OTP code and password within a reasonable time, the connection should be closed regardless. Whenever this renegotiation happens, it doesn't matter if 2FA is used or not - as the 2FA code is most likely outdated already. That said, doing a re-connect enforcing users to type in another 2FA is also less than ideal - which can in a short term scope be avoided by adding --auth-gen-token to the server config. Which should preserve a reasonably well security level on the session anyway. And in regards to the --reneg-sec discussion ... whether it happens after 3363 seconds or 3599 seconds doesn't really matter much for the end-user. Regardless of 2FA or not. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
