-
Notifications
You must be signed in to change notification settings - Fork 4
/
duo_openvpn.conf.sample
70 lines (63 loc) · 2.55 KB
/
duo_openvpn.conf.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Config file for duo_openvpn.py
# Duo settings
[duo-credentials]
# You can add any fields from
# https://github.com/duosecurity/duo_client_python/blob/master/duo_client/client.py
# Client.__init__.
#
# Minimally this should be the IKEY/SKEY/HOST data relating to
# your Duo connectivity. Anything beyond those is Caveat Emptor.
; IKEY =
; SKEY =
; HOST =
[duo-behavior]
# If FAIL_OPEN is set to True, then authentication will succeed when
# communication with DuoAPI fails.
fail_open = False
#
# Number of seconds before giving up on someone responding to a Duo task
# 300 is the default. 0 is acceptable as 'no timeout'.
# This exists to keep "Duo is down" from stacking up forked processes
# and causing the VPN to become unusable.
duo-timeout = 300
[duo-openvpn]
syslog-events-send = False
syslog-events-facility = local5
[testing]
# The 'testing' section contains information for the integration tests.
# A production instance can/should empty this.
#
# This should be a valid user in your testing (someone who has a
# Duo account and is enabled to log in.
; normal_user = someone@company.com
#
# To test a user that is allowed to bypass Duo with just a password, include
# that user and password here:
; one_fa_user = some_bot
; one_fa_pass = 12345
#
# This flag tells whether we wish testing to be exhaustive or not.
# We have unit tests that do library checks for the above user,
# for each function we define. If you're doing a release, you may
# care to do that. But in the general case, testing every permutation
# of the code is time-consuming overkill.
#
# deep_testing_rawauth tests the _auth code in duo_auth. This is
# a layer on top of duo_client. The key here is to test the different
# code paths that may come out of the library. This is likely the
# most interesting path (since it interfaces with an upstream library)
# but is unlikely to change until that library changes.
deep_testing_rawauth = True
#
# deep_testing_mfa tests the _do_mfa_for_user code in duo_auth, This
# is a layer on top of _auth in that same file, which essentially turns
# answers from _auth into True/False. Since that function is pretty
# simple, this iteration of testing is likely overkill.
deep_testing_mfa = True
#
# deep_testing_mainauth tests the main_auth code in duo_auth. This
# code combines _preauth (which we test because it can be done without
# interactivity) with _do_mfa_for_user, which is explained above.
# Overall, this is important mostly because it is the place where we
# publicly interface, but it is also trivially visually auditable.
deep_testing_mainauth = True