On Wed, 15 Dec 2004, Farid Sarwari wrote: > If one time passwords are used in the authentication is there a way to > tell openvpn to renegotiate the SSL but not AUTH to prevent > disconnection after every renegotiation?
No, that would create a security hole if TLS renegotiations could occur without the username/password, when --auth-user-pass-verify is specified. > Or is the only way to use One Time Passwords to set --reneg-sec to > something really high? That would work. You could also add --auth-nocache to prevent username/password caching. Then OpenVPN would reprompt for u/p when the next TLS negotiation occurs. > I use three factor authentication to connect: username, password, Key > (from FOB device). Key is appended to the username. Would it be > possible to tell openvpn to prompt once again for a Key? > > C:\> openvpn home.ovpn > Enter Auth Username: jsmith > Enter Auth Password: ******* > Enter Auth Key: 234-2343 There aren't any plans right now to add more fields beside username/password. If extra info is needed, you can always postfix to username or password as you've done. James
