[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] OpenVPN, One Time Password, Disconnect every hour.

  • Subject: Re: [Openvpn-users] OpenVPN, One Time Password, Disconnect every hour.
  • From: Jason Haar <Jason.Haar@xxxxxxxxxxxxx>
  • Date: Fri, 15 Dec 2006 10:31:47 +1300

Tony wrote:
> I (sometimes, depends on my current mood) find it a bit inconvinient too.
> But sometimes I use this [mis]feature as a time reminder.
> Now seriously: I believe this must be controllable|configurable. In my  
> case I deliberately switched off all the caching in the Aladdin's token  
> manager software. I believe if I turn this caching on I will not see these  
> hourly PIN|passphrase requests. I'm yet to try this, though.
Certainly my experience with SecurID cards with other network products
(e.g. Cisco VPN client) is that the OTK check only occurs *once* - then
you are authenticated for the length of your session - whether it be 10
minutes or 10 weeks.

There is a downside of course. If the user is logged in, and then you
FIRE THEM and disable their SecurID card - their VPN session keeps
working - as they don't have to reverify themselves. Of course, that
sort of corner-case is easily dealt with via a manual session
disconnect/restart the server.


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

OpenVPN mailing lists