Hi On Thu, Jun 13, 2019 at 10:42 AM Arne Schwabe <a...@rfc2549.org> wrote: > > These patches mainly implement forwarding passing/forwarding extra > messages between management interface on server and client side. > > These new extra messages can be used to implement a two step > authentication like TOTP (Google Authenticator) or web based > out of band (like SAML). > > Since this requires a tight integration on both client and > server side, it is currently only supported with the management > interface. > > Arne Schwabe (5): > Implement parsing and sending INFO and INFO_PRE control messages > Implement forwarding client CR_RESPONSE messages to management > Implement support for signalling IV_SSO to server > Implement sending response to challenge via CR_RESPONSE > Implement sending SSO challenge to clients
I haven't looked at the patches, but a quick question. I haven't come across any 2FA mechanisms that cannot be handled (in principle) by the current static an dynamic CR in OpenVPN. Except that some dynamic CR (e.g, U2F) will require the possibility to transmit larger messages than currently possible -- especially the 256 byte limitation in responses from the management as those are parsed by the config-parser. And possibly the TLS channel buffer size may need to be increased. Once those limits are extended, do we need anything more? You mention google-authenticator OTP but that can perfectly handled as a static challenge as many do right now. The current dynamic response implementation is a bad hack -- fail the auth with challenge embedded in the reason text and then send the response as a "password" during the next round. So is this about making a cleaner implementation? Or am I missing something more subtle? Selva _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
