Feature Request: config-tuneable auth-user-pass dialogue

Suggestions/comments/criticisms are welcome here

ratness

Posts: 9
Joined: Fri Jul 06, 2018 4:31 am

Post by ratness » Sat Sep 28, 2019 6:40 am
When a client has an 'auth-user-pass' directive, it pops up a modal for the username/password and it says, very generic:
"OpenVPN requires a username and password to continue."

Because we're using multifactor authentication at $WORK, there's a certain formula we want users to adhere to in entering their credentials. Once you know to do it, you just do it... but our infrequent VPN users need reminders.

I would love to be able to tell them what to do, but it's baked into Viscosity. What if the vpn config that I publish to them edited the prompt with a reminder? I could then do something like:
Code: Select all
#viscosity auth-user-pass-prompt-text "Username = [email protected]\nPassword = 6 digit code from Google Authenticator\n"
Thanks for considering.

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Sep 30, 2019 9:59 am
Hi ratness,

Our suggestion would be to move to a static challenge-response setup if possible. This way you can have the username/password window only ask for a username/password, and even save these credentials if you wish, and then a secondary window request your Google-auth with any message that you please.

We have an example here using Yubikey OTP - https://sparklabs.com/support/kb/article/yubikey-otp-two-factor-authentication-with-openvpn-and-viscosity/#setting-up-viscosity

We will add your feedback to our request list however.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

ratness

Posts: 9
Joined: Fri Jul 06, 2018 4:31 am

Post by ratness » Mon Oct 07, 2019 7:09 pm
Unfortunately, our use case is a little harder than just simple TOTP. We have a mixture of nonhumans (with just passwords), classic TOTP users through Yubikeys and Google Authenticator, Duo push users (save 'push' with your password and never enter anything at connect time), and people who regularly flit between TOTP codes and Duo pushes. Enough use paths that I don't think the static challenge-response solution would work.

I know the wise choice would be not to overload the password field, but it's been the only reasonable path we've found that covers all our users.

And, even if static-CR did fit our use case, I'd still mention this, because I think guiding people who may have multiple userid forms ("user = [email protected], not just yourname") is useful.
3 posts Page 1 of 1