2018-02-22 8:52 GMT+05:00 Selva Nair <selva.n...@gmail.com>:
> Hi,
>
> On Wed, Feb 21, 2018 at 10:18 PM, Илья Шипицин <chipits...@gmail.com>
> wrote:
> >
> >
> > 2018-02-21 22:03 GMT+05:00 Selva Nair <selva.n...@gmail.com>:
> >>
> >> Hi,
> >>
> >> On Tue, Feb 20, 2018 at 10:10 AM, Илья Шипицин <chipits...@gmail.com>
> >> wrote:
> >> > Hello,
> >> >
> >> > is there any step-by-step example of implementing either static or
> >> > dynamic
> >> > challenge response ?
> >>
> >> Static is easy:
> >> On client: add --static-challenge "Enter OTP" 1 to the client config.
> >> On server, merge my auth-pam plugin patch :)
> >
> >
> >
> > if static challenge is handled via pam, so ... there's only true/false ?
> > I mean, is there a way to tell a user "your password is wrong" or
> "password
> > is good, but response is wrong" ?
>
> The usual practice with PAM is not to indicate that the user input is
> partially correct as that leaks information to an attacker. Of course
> you can set it up in a less secure way. But avoid it unless you have a
> strong reason.
>
> In case of openvpn, anyway there is no easy way[*] to pass back such
> info from server to client, so auth either succeeds or fails.
>
well, what I can say about it
1) definetly we need some examples on challenge/response
2) for example, windows ldap can response with "password is ok, but account
is locked" or "password is ok, but password is expired". we definetly need
some way for that messaging
>
> Selva
>
> [*] Its possible to send back an AUTH_FAIL reason, but currently only
> supported by --management-client-auth (not by auth scripts or plugins)
> and used only to trigger dynamic challenge.
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
