Hi, On Wed, Feb 21, 2018 at 10:18 PM, Илья Шипицин <chipits...@gmail.com> wrote: > > > 2018-02-21 22:03 GMT+05:00 Selva Nair <selva.n...@gmail.com>: >> >> Hi, >> >> On Tue, Feb 20, 2018 at 10:10 AM, Илья Шипицин <chipits...@gmail.com> >> wrote: >> > Hello, >> > >> > is there any step-by-step example of implementing either static or >> > dynamic >> > challenge response ? >> >> Static is easy: >> On client: add --static-challenge "Enter OTP" 1 to the client config. >> On server, merge my auth-pam plugin patch :) > > > > if static challenge is handled via pam, so ... there's only true/false ? > I mean, is there a way to tell a user "your password is wrong" or "password > is good, but response is wrong" ?
The usual practice with PAM is not to indicate that the user input is partially correct as that leaks information to an attacker. Of course you can set it up in a less secure way. But avoid it unless you have a strong reason. In case of openvpn, anyway there is no easy way[*] to pass back such info from server to client, so auth either succeeds or fails. Selva [*] Its possible to send back an AUTH_FAIL reason, but currently only supported by --management-client-auth (not by auth scripts or plugins) and used only to trigger dynamic challenge. ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
