Support OpenVPN Challenge/Response protocol

[oxr463]

pam_aad introduce a function by sending a mail with the device code to the user, because not all apps supporting interactive authentication.

But OpenVPN support interactive authentication, if a plugin would handle the dynamic challenges.

You could read some basic about static challenges (designed for OTPs) at the manual (look for static-challenge here).

In the management interface documentation, the dynamic challenges are described here, too. (Look for Challenge/Response Protocol).

The Challenge Request could be something like:

PIN: 46433 - Enter the code at https://aka.ms/devicelogin. Type "OK" to continue.

If the user respond with an "OK", with plugin could assume that the user does the authentication at MS and look if the verification was successful.

Problem: It looks like this feature isn't documented well since it's designed for enterprise OpenVPN only (OpenVPN Access Server).

Dynamic Challenges can be send to the client by the AUTH_FAILED command including a formatted error message like CRV1:R,E:PG_09HT0rZcjdFd6GnA:bG9uZG9u:Enter Authenticator Code

The management interface documentation documents the format of the error message well.

I don't know if it's possible that a plugin can set the client_reason field that handling the AUTH_FAILED error message.

Related links:

• https://github.com/evgeny-gridasov/openvpn-otp#using-openvpn-otp-for-multi-factor-authentication

• https://tunnelblick.net/cMultiFactorAuthentication.html

Source: CyberNinjas/openvpn-auth-aad#9