Hi On Thu, Feb 22, 2018 at 1:46 AM, Илья Шипицин <chipits...@gmail.com> wrote: > > > 2018-02-22 8:52 GMT+05:00 Selva Nair <selva.n...@gmail.com>: >> >> Hi, >> >> On Wed, Feb 21, 2018 at 10:18 PM, Илья Шипицин <chipits...@gmail.com> >> wrote: >> > >> > >> > 2018-02-21 22:03 GMT+05:00 Selva Nair <selva.n...@gmail.com>: >> >> >> >> Hi, >> >> >> >> On Tue, Feb 20, 2018 at 10:10 AM, Илья Шипицин <chipits...@gmail.com> >> >> wrote: >> >> > Hello, >> >> > >> >> > is there any step-by-step example of implementing either static or >> >> > dynamic >> >> > challenge response ? >> >> >> >> Static is easy: >> >> On client: add --static-challenge "Enter OTP" 1 to the client config. >> >> On server, merge my auth-pam plugin patch :) >> > >> > >> > >> > if static challenge is handled via pam, so ... there's only true/false ? >> > I mean, is there a way to tell a user "your password is wrong" or >> > "password >> > is good, but response is wrong" ? >> >> The usual practice with PAM is not to indicate that the user input is >> partially correct as that leaks information to an attacker. Of course >> you can set it up in a less secure way. But avoid it unless you have a >> strong reason. >> >> In case of openvpn, anyway there is no easy way[*] to pass back such >> info from server to client, so auth either succeeds or fails. > > > well, what I can say about it > > 1) definetly we need some examples on challenge/response > > 2) for example, windows ldap can response with "password is ok, but account > is locked" or "password is ok, but password is expired". we definetly need > some way for that messaging
In such cases an option would be to authenticate the user, send them a message (echo msg support is coming..) and disconnect after a grace time. But expiring password must be done for some reason, if so why not just inform the user by email or whatever channel is used to contact users? Using the authentication exchange to give feedback to an unauthorized user is not a good strategy.. Selva ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
