Support OpenVPN Challenge/Response protocol #4
Description
pam_aad introduce a function by sending a mail with the device code to the user, because not all apps supporting interactive authentication.
But OpenVPN support interactive authentication, if a plugin would handle the dynamic challenges.
You could read some basic about static challenges (designed for OTPs) at the manual (look for
static-challengehere).In the management interface documentation, the dynamic challenges are described here, too. (Look for
Challenge/Response Protocol).The Challenge Request could be something like:
PIN: 46433 - Enter the code at https://aka.ms/devicelogin. Type "OK" to continue.If the user respond with an "OK", with plugin could assume that the user does the authentication at MS and look if the verification was successful.
Problem: It looks like this feature isn't documented well since it's designed for enterprise OpenVPN only (OpenVPN Access Server).
Dynamic Challenges can be send to the client by the
AUTH_FAILEDcommand including a formatted error message likeCRV1:R,E:PG_09HT0rZcjdFd6GnA:bG9uZG9u:Enter Authenticator CodeThe management interface documentation documents the format of the error message well.
I don't know if it's possible that a plugin can set the
client_reasonfield that handling theAUTH_FAILEDerror message.Related links:
Source: CyberNinjas/openvpn-auth-aad#9