Password rotation

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
juan.jose@katapult.com
OpenVpn Newbie
Posts: 1
Joined: Thu Nov 18, 2021 7:02 pm

Password rotation

Post by juan.jose@katapult.com » Fri Nov 19, 2021 3:08 pm

Hello

Im using Access Server version: 2.6.1, is there an option in the admin portal to set password expiration (or rotation) for all users ?

Thanks
Juan

chilinux
OpenVPN Power User
Posts: 156
Joined: Thu Mar 28, 2013 8:31 am

Re: Password rotation

Post by chilinux » Fri Nov 19, 2021 11:33 pm

I strongly recommend upgrading to 2.8.8 or 2.9.6. Version 2.6.1 was released in December 2018.

The release notes on what has changed since them (including security updates) is available here:
https://openvpn.net/vpn-server-resources/release-notes/

As far as I know, the "Local" authentication method does not support password expiration.

The other external authentication methods such as LDAP inherit the rules of the LDAP server. If a LDAP password has expired then it won't work for authentication until the user rotates it.

If you are looking to harden the authentication process, I would recommend enabling the "Google Authenticator" support. Despite the name, it doesn't actually requires using the Google Authenticator app but rather supports all TOTP / RFC6238 compliant apps.

The TOTP app that I prefer is called andOTP and the github project is available here:
https://github.com/andOTP/andOTP

They also provide a link to get it on the Google Play Store.

Once you have setup TOTP, the One Time Password app will provide a different 6 digit code every 30 seconds. Hence it will rotate much more frequently than the standard password (which the user will also still be requested to provide).

Post Reply