Remember user credentials but not smartcard pin

Got a problem with Viscosity or need help? Ask here!

wp43f

Posts: 2
Joined: Thu Aug 25, 2022 11:22 pm

Post by wp43f » Thu Aug 25, 2022 11:55 pm
Hi there,

I am using the Viscosity client with smartcard authentication as well as username and password authentication. However, I would like users to not have to type in their user credentials every time while I do not want them to be able to save their smartcard pin.

Is there a way to prevent users from saving their smartcard pin but allow them to save their user credentials?

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Aug 26, 2022 11:40 am
Hi wp43f,

It sounds like your setup is requiring the smart card PIN as part of the password (rather than making use of OpenVPN's seperate challenge support prompt). If that's the case what you’re after is the "static-challenge-password" command. It allows you to save your username and the password part of your password, while separately prompting you for the OTP part. Please see:
https://www.sparklabs.com/support/kb/ar ... e-password

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

wp43f

Posts: 2
Joined: Thu Aug 25, 2022 11:22 pm

Post by wp43f » Fri Aug 26, 2022 8:12 pm
Hi James,

thank you for your answer. If I understand it correctly, this does not quite solve my problem as I do not send the PIN to the server to authenticate but make use of it locally.

I probably explained it poorly the first time. My setup is as follows:
Against the server I authenticate using a username and password as well as a certificate. The certificate is stored locally on my smartcard using the PKCS#11 standard. When I connect to the VPN server I have to submit the correct smartcard PIN to the Viscosity client and a local middleware is responsible for granting acces to the certificate stored on the smartcard.

I followed this tutorial to get Viscosity to use the smartcard: https://www.sparklabs.com/support/kb/ar ... s-pkcs-11/.
To configure viscosity I used a configuration file. I put it down below.

I found the "SetPref PasswordStorageSupport false" option. But this prevents users from saving their smartcard PIN as well as their username and password.

Shortly put, I would like a simliar solution to this, that prevents users from saving their smartcard PIN but still allows them to save their username and password in Viscosity.

Thank you for your time.

Best wishes
Attachments
configFile.txt
(437 Bytes) Downloaded 648 times

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Tue Aug 30, 2022 10:26 pm
Hi wp43f,

Thanks for the additional detailed information. Sadly it isn't possible to break down the storage setting for local passwords to that degree. As you've found, the PasswordStorageSupport applies to all passwords, not just the username and password.

A few suggestions you can try:

1. Some PKCS#11 providers support their own GUI for unlocking the token using a password. For example (at least in the past) SafeNet's driver had two PKCS#11 DLLs, one for standard support (where the need for a password would be relayed through the PKCS#11 API to Viscosity), and a GUI one that would be responsible for requesting the password. I'm unsure if recent versions still support this approach, but if your PKCS#11 driver does, then you could leave Viscosity's password support enabled, and let the driver directly prompt the user (which unlikely supports saving the password).

2. Viscosity also has a hidden "RememberUsername" option that allows just the username to be saved when PasswordStorageSupport is disabled. While users will still need to enter their password, it might be an acceptable half-way measure.

3. As it sounds like users have unique certificate/key pair on a PKCS#11 token, you could potentially use the certificate to identify and log in a user instead of also requiring their username and password. To do this you can have the server side authentication script look at the "common name" of the connecting client, rather than a username.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
4 posts Page 1 of 1