On 11/09/13 07:08, Eric Crist wrote: > This can be accomplished with some intelligent client connect > scripts and some session tracking. I'd suggest a database that > keeps connection statistics and uses some logic that figures same > IP + close connection time equals no OTP required. You can, > essentially generate a server side token based on various > connection data. > > Good luck. :)
I've gone some of this mile already with eurephia [1]. I haven't yet implemented an OTP authentication module (but it should be possible using the latest code from the git master). How it works is that each session gets an authenticaion session ID based on the client information (IP addresses, port numbers, username, some certificate info and such - too lazy to check the code now). If this auth session ID isn't found in a password auth cache, it will go through the normal procedure of password authentication. But if a auth session ID is found in the password auth cache, it passes as already authenticated. So I believe (without having tested it), this could work with OTP. [1] <http://www.eurephia.net/> -- kind regards, David Sommerseth > On Sep 10, 2013, at 9:04 PM, Michael Ludvig <mlud...@logix.net.nz> > wrote: > >> On 11/09/13 13:17, Jason Haar wrote: >>> On 11/09/13 12:34, Michael Ludvig wrote: >>>> We used to do cert-based authentication which was good >>>> because on connection drop it re-authenticated without any >>>> user interaction and often users didn't even notice. Now >>>> that we moved to OTP users rightfully complain about the >>>> lower comfort. Is there >>> I think you're asking a bit too much :-) >>> >>> Either your mandate is to implement an "extremely" high >>> security solution (in which case tokens are the only option >>> IMHO), or your mandate is to implement a "very strong" >>> security solution - in which case client certs by themselves >>> absolutely do the trick (certs on tokens I place into the >>> "extreme" category of course) >> >> I'd be happy with "very strong" + OTP ;) Unfortunately we have >> to use OTP to be in compliance with some other sites we connect >> to, that's why we had to move from our trusted and loved >> cert-based auth :( >> >>> So if you *have* to use tokens, then user-annoyance is >>> probably a side-effect that cannot be avoided. >> >> Great. Can I use this as auto-reply to our users' complaints? ;) >> >>> If you're willing to hack, you might have been able to do >>> something where client certs are used to establish the tunnel, >>> but firewall acls on the gateway quarantine the client until >>> they go to a web page and authenticate using the OTK. >> Thanks for the suggestion. We already call a client-connect >> script to do some firewall work based on LDAP group membership, >> I just have to think how to get the OTP from the user in that >> script... >> >> >> But seriously - is the "cookies" idea that bad? 1) Initial >> connect - client supplies username + password + OTP, once the >> channel is set up it securely receives a "cookie", it gets >> renewed every 10 minutes while the tunnel is up. >> >> 2) Connection drops and client reconnects (without restarting) - >> instead of username + pass + OTP it offers the cookie, server >> checks the validity, optionally the source IP, gets the username >> from its cache and re-establishes the tunnel without requesting >> the credentials again. >> >> Is that doable and how hard would be to implement it? >> >> Michael >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> >> How ServiceNow helps IT people transform IT departments: >> 1. Consolidate legacy IT systems to a single system of record >> for IT 2. Standardize and globalize service processes across IT >> 3. Implement zero-touch automation to replace manual, redundant >> tasks >> http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> Openvpn-users mailing list Openvpn-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/openvpn-users > > ------------------------------------------------------------------------------ > > > How ServiceNow helps IT people transform IT departments: > 1. Consolidate legacy IT systems to a single system of record for > IT 2. Standardize and globalize service processes across IT 3. > Implement zero-touch automation to replace manual, redundant tasks > > http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk > > > _______________________________________________ > Openvpn-users mailing list Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- kind regards, David Sommerseth ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
