Hi, On Wed, Dec 30, 2020 at 01:52:39PM +0300, Bogdan Rudas via Openvpn-users wrote: > Are there any way to connect MFA solution with push tokens - i.e. OpenVPN > server must wait while the end user is unlocking their phone and push some > button in the MFA application? > While ago I found that the older OpenVPN version was very sensitive to > authentication scripts runtime and network activity was blocked while > scripts were working (or hanging). > Is asynchronous authentication possible with a PAM module or custom > scripts?
OpenVPN has been able to do async (deferred) authentication via plugin (or management interface) for a long time - *but* we never shipped a PAM plugin that utilized this. OpenVPN 2.5.0 includes a plugin-auth-pam that can operate asynchronously (deferred) if told via "setenv" variable. If you want to use a script for authentication, you need to run this from a helper plugin, see here: https://github.com/fac/auth-script-openvpn (This plugin will also work with 2.4.x openvpn versions, but you'll need to compile it yourself - generally speaking, you want 2.5.0 or even "git master" on the server, though) OpenVPN 2.5.0 also support asynchronous client-connect plugins and scripts now. For more details how to use this, see here: https://community.openvpn.net/openvpn/ticket/1330 gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
