Hi,
On Mon, May 9, 2016 at 1:26 PM, dev <devua...@gmail.com> wrote:
> We use one-time passcodes as well as client/server certs for
> authentication. I think what is happening is the re-key process is not
> able to re-use the OTP so it fails and the user has to re-connect every
> hour.
>
One way to handle this is by checking OTP only for the initial auth. For
this to work you have to use management-client-auth at the server side --
that's what I do. Then authentication requests triggered by new clients
(CONNECT) and renegotiation (REAUTH) can be distinguished. Also the client
should remember passwords (i.e no --auth-nocache)
I don't see a way around dropping the connection with my specific setup
> so increasing the reneg-sec setting seems like the next logical choice.
> The question I have is how much of a concern is session hijacking when
> increasing this parameter? I would guess this depends largely on cipher
> chosen and key-size, but I don't know for sure. Perhaps someone with a
> better knowledge than I can shed some light on this.
In my view, ignoring OTP during reauth looks like a better compromise than
a long reneg-sec. But I've no precise idea of the security implications of
disabled or prolonged reneg.
Selva
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
