Add a global option to always prompt for OTP #702
Conversation
Add a checkbox to the general settings menu to always prompt for OTP when prompting for password even if no static-challenge request is received from the management interface. The response is appeneded to the password using the concatenation format and submitted to the management interface. Signed-off-by: Selva Nair <selva.nair@gmail.com>
Signed-off-by: Selva Nair <selva.nair@gmail.com>
selvanair
force-pushed
the
concat-global
branch
from
528966e to
6783ca2
Compare
|
Anyone thinks this is useful? After hearing that tunnelblick has had such a feature for years I'm more sympathetic to users request for this. |
|
Hello, sorry to reopen this, but this approach only works when the OTP is added at the end of the password. At work, all our VPN connections that use OTP require it to be added at the beginning of the password. I modified this by replacing the checkbox with radio buttons to allow a choice between "Append OTP," "Prepend OTP" (for my use case), and a third option, "Disable." Would you consider merging this? By the way, I'm not sure if it's feasible, but it would be great if such an option could be configured on a per-VPN basis. |
This is why I was extremely reluctant in adding this option. Over the years I have seen reports of a number of ad-hoc implementations that send OTP appended to password, and we finally added support for it although I consider it a hack. I'm hearing about "prepending" for the first time, but I'm not surprised. Soon there will be some who use a ":" to separate the two and so on. The correct approach is to do server side implementation correctly by following the static challenge protocol. If that is not an option, lobby for a new protocol in OpenVPN core and we will support it in the GUI. Right now the core supports the original static-challenge protocol and concatenation option. So does the GUI. |
|
Ahah, I'm no VPN expert, I thought both would be standard practice. I'd rather have both options than none 🤣 |
|
Someone has to maintain all the different code paths for "options", and test them. Much better is to adhere to a standard, and not invent new standards and require changes to pre-existing software to make that work. |
Neither are standard practice but unnecessary hacks invented by server administrators. Anyway, this menu item to prompt for OTP and concatenate is an interim solution until OpenVPN 2.7 is out. Once 2.7 is released, the correct way to use the concatenation option is to add So, please follow the protocol as documented in management-notes.txt in OpenVPN 2 code base. |
This is more like a quick solution for user requests such as #663.
This is built on top of #701, by adding a global option to always prompt for OTP and submit it concatenated with password. Submitting as a separate PR as I'm not fully convinced of the need for this.
The newly extended static-challenge config option (GUI support is in PR #701) that can optionally specify concatenation format should be preferred over this. Always prompting for OTP could confuse users when none are required. But the former will be available only in OpenVPN 2.7 while this is immediately usable.