Skip to content
Feature Request: config-tuneable auth-user-pass dialogue
Suggestions/comments/criticisms are welcome here
When a client has an 'auth-user-pass' directive, it pops up a modal for the username/password and it says, very generic:
"OpenVPN requires a username and password to continue."
Because we're using multifactor authentication at $WORK, there's a certain formula we want users to adhere to in entering their credentials. Once you know to do it, you just do it... but our infrequent VPN users need reminders.
I would love to be able to tell them what to do, but it's baked into Viscosity. What if the vpn config that I publish to them edited the prompt with a reminder? I could then do something like:
"OpenVPN requires a username and password to continue."
Because we're using multifactor authentication at $WORK, there's a certain formula we want users to adhere to in entering their credentials. Once you know to do it, you just do it... but our infrequent VPN users need reminders.
I would love to be able to tell them what to do, but it's baked into Viscosity. What if the vpn config that I publish to them edited the prompt with a reminder? I could then do something like:
Code: Select all
Thanks for considering.#viscosity auth-user-pass-prompt-text "Username = [email protected]\nPassword = 6 digit code from Google Authenticator\n"
Hi ratness,
Our suggestion would be to move to a static challenge-response setup if possible. This way you can have the username/password window only ask for a username/password, and even save these credentials if you wish, and then a secondary window request your Google-auth with any message that you please.
We have an example here using Yubikey OTP - https://sparklabs.com/support/kb/article/yubikey-otp-two-factor-authentication-with-openvpn-and-viscosity/#setting-up-viscosity
We will add your feedback to our request list however.
Regards,
Eric
Our suggestion would be to move to a static challenge-response setup if possible. This way you can have the username/password window only ask for a username/password, and even save these credentials if you wish, and then a secondary window request your Google-auth with any message that you please.
We have an example here using Yubikey OTP - https://sparklabs.com/support/kb/article/yubikey-otp-two-factor-authentication-with-openvpn-and-viscosity/#setting-up-viscosity
We will add your feedback to our request list however.
Regards,
Eric
Eric Thorpe
Viscosity Developer
Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
Viscosity Developer
Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
Unfortunately, our use case is a little harder than just simple TOTP. We have a mixture of nonhumans (with just passwords), classic TOTP users through Yubikeys and Google Authenticator, Duo push users (save 'push' with your password and never enter anything at connect time), and people who regularly flit between TOTP codes and Duo pushes. Enough use paths that I don't think the static challenge-response solution would work.
I know the wise choice would be not to overload the password field, but it's been the only reasonable path we've found that covers all our users.
And, even if static-CR did fit our use case, I'd still mention this, because I think guiding people who may have multiple userid forms ("user = [email protected], not just yourname") is useful.
I know the wise choice would be not to overload the password field, but it's been the only reasonable path we've found that covers all our users.
And, even if static-CR did fit our use case, I'd still mention this, because I think guiding people who may have multiple userid forms ("user = [email protected], not just yourname") is useful.
3 posts
Page 1 of 1