Hello
Im using Access Server version: 2.6.1, is there an option in the admin portal to set password expiration (or rotation) for all users ?
Thanks
Juan
Password rotation
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Nov 18, 2021 7:02 pm
-
- OpenVPN Power User
- Posts: 156
- Joined: Thu Mar 28, 2013 8:31 am
Re: Password rotation
I strongly recommend upgrading to 2.8.8 or 2.9.6. Version 2.6.1 was released in December 2018.
The release notes on what has changed since them (including security updates) is available here:
https://openvpn.net/vpn-server-resources/release-notes/
As far as I know, the "Local" authentication method does not support password expiration.
The other external authentication methods such as LDAP inherit the rules of the LDAP server. If a LDAP password has expired then it won't work for authentication until the user rotates it.
If you are looking to harden the authentication process, I would recommend enabling the "Google Authenticator" support. Despite the name, it doesn't actually requires using the Google Authenticator app but rather supports all TOTP / RFC6238 compliant apps.
The TOTP app that I prefer is called andOTP and the github project is available here:
https://github.com/andOTP/andOTP
They also provide a link to get it on the Google Play Store.
Once you have setup TOTP, the One Time Password app will provide a different 6 digit code every 30 seconds. Hence it will rotate much more frequently than the standard password (which the user will also still be requested to provide).
The release notes on what has changed since them (including security updates) is available here:
https://openvpn.net/vpn-server-resources/release-notes/
As far as I know, the "Local" authentication method does not support password expiration.
The other external authentication methods such as LDAP inherit the rules of the LDAP server. If a LDAP password has expired then it won't work for authentication until the user rotates it.
If you are looking to harden the authentication process, I would recommend enabling the "Google Authenticator" support. Despite the name, it doesn't actually requires using the Google Authenticator app but rather supports all TOTP / RFC6238 compliant apps.
The TOTP app that I prefer is called andOTP and the github project is available here:
https://github.com/andOTP/andOTP
They also provide a link to get it on the Google Play Store.
Once you have setup TOTP, the One Time Password app will provide a different 6 digit code every 30 seconds. Hence it will rotate much more frequently than the standard password (which the user will also still be requested to provide).