Am 27.08.20 um 01:34 schrieb Eric Thorpe: > Hi Arne, > > The first we are trying to migrate across is U2F - > https://www.sparklabs.com/support/kb/article/yubikey-u2f-two-factor-authentication-with-openvpn-and-viscosity/ > <https://www.sparklabs.com/support/kb/article/yubikey-u2f-two-factor-authentication-with-openvpn-and-viscosity/>
Okay makes more sense now and I see that U2F needs larger messages. But especially U2F is important/common enough to properly document how this should be done in detail. The last thing we want is to end up with two different U2F implementation in OpenVPN one from your side and one from us (OpenVPN inc) that are incompatible with each other. So we probably want a IV_SSO=u2f, so the client can signal U2F support and then a documentation what messages are sent back and forth and then I see no problem in merging your patches. > Even though the patches in the above article work for the vast majority, > they are a bit of a hack and we want to get away from them as they're > still prone to failing on connections with low MTU or fragmentation > issues as previously mentioned. > > All our 2FA supported methods that we want to migrate across to > AUTH_PENDING instead of AUTH_FAILED are available here as well if you'd > like some further examples of what this would be used for - > https://github.com/thesparklabs/openvpn-two-factor-extensions > <https://github.com/thesparklabs/openvpn-two-factor-extensions> > > Anything using this new method would also end up in the above repo. If you interested in the SAML/webauth/other web based authentication protocols, here is a document that I am preparing to document that properly (should also be soon on the official openvpn3 repo): https://github.com/schwabe/openvpn3/blob/schwabe/web_auth_spec/doc/webauth.md Arne
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
