Page 1 of 1
Password rotation
Posted: Fri Nov 19, 2021 3:08 pm
by juan.jose@katapult.com
Hello
Im using Access Server version: 2.6.1, is there an option in the admin portal to set password expiration (or rotation) for all users ?
Thanks
Juan
Re: Password rotation
Posted: Fri Nov 19, 2021 11:33 pm
by chilinux
I strongly recommend upgrading to 2.8.8 or 2.9.6. Version 2.6.1 was released in December 2018.
The release notes on what has changed since them (including security updates) is available here:
https://openvpn.net/vpn-server-resources/release-notes/
As far as I know, the "Local" authentication method does not support password expiration.
The other external authentication methods such as LDAP inherit the rules of the LDAP server. If a LDAP password has expired then it won't work for authentication until the user rotates it.
If you are looking to harden the authentication process, I would recommend enabling the "Google Authenticator" support. Despite the name, it doesn't actually requires using the Google Authenticator app but rather supports all TOTP / RFC6238 compliant apps.
The TOTP app that I prefer is called andOTP and the github project is available here:
https://github.com/andOTP/andOTP
They also provide a link to get it on the Google Play Store.
Once you have setup TOTP, the One Time Password app will provide a different 6 digit code every 30 seconds. Hence it will rotate much more frequently than the standard password (which the user will also still be requested to provide).