Hi On Wed, Apr 28, 2021 at 11:52 AM Gert Doering <g...@greenie.muc.de> wrote: > > Hi, > > On Wed, Apr 21, 2021 at 07:29:52PM +0200, Dajka Tamás wrote: > > If interested, I can send the script over ( PAM is used for user > > auth against an MS AD, and Radius is used for SecurID, since that > > handle???s challenge-response auths, so we can wait for the user???s > > answer to dynamic questions without blocking the whole auth flow). > > I'm certainly interested. > > > So, if you want to do a bit more complex stuff, than the management > > interface will be your friend (a perl/python/php/whatever daemon > > will be needed to connect to the mgmt interface and handle the > > requests from the openvpn server). > > > > For simple tasks a static-challenge + PAM auth can be more than enough. > > I've come to like the auth-PAM plugin (after I fought it for a while, > and won :-) ). It does async nowadays, and if it does what you need, > it's easier to use than setting up "things talking to management". > > I haven't looked into dynamic challenges yet, but it seems I should... > Selva: am I reading the source correctly, a plugin can not create a dynamic > challenge?
No it doesn't. There were two issues blocking this: (i) PAM_CONV_AGAIN needed to restart the PAM stack at a point is not supported by most PAM modules of interest (ii) a customized AUTH_FAILED message could be sent only from the management interface (during reauth --- initial auth is fine). For (i) probably we can avoid PAM_CONV_AGAIN and do this using deferred auth. For (ii) not sure whether this has changed with Arne's recent patches -- also there was a patch from viscosity folks for custom AUTH_FIALED from plugins. Maybe it's time to look into this again. Selva Selva _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users