Page 1 of 1
OTP box in login prompt
Posted: Wed Aug 28, 2013 5:52 am
We use Viscosity extensively with our OpenVPN setup that uses the password and OTP concatenated together for the password. Many of our users find in confusing to do this. Would it be a reasonable feature request to have an option to have a separate password and OTP box that could then be concatenated together before being sent to the server? This would also allow users to save their password and still be prompted for their OTP (not saying this would be a good idea from a security perspective but still). This seems to be a pretty common setup from what I have seen online...
Re: OTP box in login prompt
Posted: Thu Aug 29, 2013 7:55 am
Viscosity actually already has support for a separate two-factor challenge prompt. This can be used via OpenVPN 2.3's challenge/response support. We strongly recommended this is used over using the username/password dialog box for two-factor prompts.
We've actually been working on putting together a series of setup guides and examples for different scenarios, including for two-factor support, however unfortunately they are not ready yet. However here is a recent support response of ours on a similar topic which should help you get setup. This user was using Duo Security for their two-factor support, however you should be able to modify our example for whatever your system uses (for example we use a similar setup with YubiKeys).
Using the username and password prompt to implement two-factor authentication has always been a workaround for OpenVPN 2.2 and earlier versions as they include no proper two-factor challenge support. While Duo Security's current OpenVPN integration package still takes this approach, as Viscosity supports OpenVPN 2.3's new two-factor challenge support I'd strongly recommend switching over to that. It's much nicer for end users, fairly straightforward to implement, and should avoid the connect/reconnect approach you are currently taking.
Duo Security's OpenVPN-AS implementation actually already supports OpenVPN 2.3's dynamic challenge option, which Viscosity has full support for. However for your own OpenVPN server you'll need to use OpenVPN's static challenge support. The latest beta versions of Viscosity support static challenge support, which we expect to roll out as stable releases next week. These can be downloaded from:
Windows: http://www.sparklabs.com/forum/viewtopi ... 1593#p1593
As for implementing it server-side, I've written an example OpenVPN auth script (attached to this email) which uses Duo's Auth API framework. I've given it a test with our Ubuntu and pfSense test servers and it appears to work well, however it is by no means authoritative. However please be aware that this script is expecting username and password authentication to be taking place as well: if you are only using certificate based auth you may want to remove the relevant code from the script and pass the certificate common name variable instead, or get some advice from Duo Security for implementation details.
To use it, first upload it to your server somewhere and mark the script as executable. Change your OpenVPN server config to remove the "plugin" and "auth-user-pass-verify" lines that point to Duo Security's OpenVPN tools, and then add a line that points to the new script, for example:
auth-user-pass-verify /path/to/duo_openvpn_auth.py via-env
You'll then need to edit the duo_openvpn_auth.py script on the server and fill in the path to your normal username/password authentication script (for PAM, LDAP, Radius, etc. authentication), and your Duo Auth API details.
On Viscosity's end you'll need to edit your connection, click on the Advanced tab, and add the following line (you can change the message to whatever you wish):
static-challenge "Please enter your Duo Security code:" 0
If everything works, you should be prompted for your username and password as normal (which is safe to save into the Keychain if you wish), and then you'll be prompted for your two-factor code as per the attached screenshot. Codes like "push" and "phone" can also be used. If you're not using username/password auth (i.e. you removed checking from the script) you'll still need to leave it turned on client side as OpenVPN requires it, even if the server ignores the actual details.
If you get stuck on the server side setup I'd recommend getting in touch with Duo Security and let them know what you are trying to do. They'll probably be able to come up with a nicer setup than what I've come up with, or perhaps even enhance their OpenVPN integration package to support static-authentication as well. I believe Duo Security are Viscosity users themselves, so they may even have some better suggestions.