> I haven't looked at the patches, but a quick question. I haven't come across > any > 2FA mechanisms that cannot be handled (in principle) by the current static an > dynamic CR in OpenVPN. Except that some dynamic CR (e.g, U2F) will require > the possibility to transmit larger messages than currently possible -- > especially > the 256 byte limitation in responses from the management as those are > parsed by the config-parser. And possibly the TLS channel buffer size may need > to be increased. > > Once those limits are extended, do we need anything more? > > You mention google-authenticator OTP but that can perfectly handled as a > static > challenge as many do right now. > > The current dynamic response implementation is a bad hack -- fail the auth > with challenge embedded in the reason text and then send the response as a > "password" during the next round. So is this about making a cleaner > implementation? Or am I missing something more subtle?
Two things basically that play to together making it cleaner and allow web based authentication to actually not a horrible hack. WEB based SSO would work as follows: - Clients connects - Server get the client auth request. - Instead of sending success/failed right way, it will send a challenge - OPENURL:example.com/logintomyvpn - Client will continue to wait in this not yet authenticated state - User will login into the web page, the backend of the web notifies the VPN server about the result - VPN will send do client auth succces/failed depending on result - Client is connected. Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
