[FreeNX-kNX] One-time password authentication question

Nick Owen nowen at wikidsystems.com
Wed Mar 8 14:45:04 UTC 2006


Fabian Franz wrote:
> Am Dienstag, 17. Januar 2006 20:07 schrieb Nick Owen:
>> Greetings list:
>>
>> I was interested in FreeNX due to it's support for PAM, which makes
>> integration with our open source one-time password system (WiKID) pretty
>> easy.
>>
>> I set up FreeNX on a server that already had PAM set up for WiKID auth
>> via radius.  The setting was for "sufficient" so ssh worked with both
>> passwords and the OTP.  FreeNX worked only with the passwords though.
>> The first password request works, but it appears that FreeNX makes
>> additional credential validation requests to the auth server, which of
>> course fail.  Is there a way to cache the credentials or use a proxy of
>> some kind? This how we got Squirrelmail working - with imapproxy.
> 
> You could change it to use ssh -M with a custom config to setup a master 
> connection first, which you kill once the session is running after a timeout.
> 
> Another idea I have for a redesign is to keep a channel open to the nxnode, 
> but I dunno how this can ever work with being redirected to another server / 
> load-balancing.
> 
> As you seem to work in the authentication fields. Any ideas on that?

Fabian:

Interesting suggestions.  I'm not familiar with the -M option.  Have to
google it up ;).  I got FreeNX working with one-time passcodes thanks to
a script from Felix Shumacher.  Here's his post:

http://lists.kde.org/?l=freenx-knx&m=113766147904995&w=2

and here is a how-to on our open source site:

http://www.wikidsystems.net/howtos/2_factor_vnc

This script would be a great addition to the code, IMHO.

thanks,

nick

-- 
Nick Owen
WiKID Systems, Inc.
404.962.8983
http://www.wikidsystems.com
Commercial/Open Source Two-Factor Authentication
https://www.linkedin.com/in/nickowen



More information about the FreeNX-kNX mailing list