Hi,
As far as I understand (and I have not found time to actually *test* this
new stuff for my own setups), you need to remove "auth-nocache".

The token sent from the server effectively "un-caches" the username and
password set by the user anyway, replacing it with the token.

I'm not totally sure what happens when the token expires and the
next renegotiation is due - will the client prompt, or just give up
and disconnect. Definitely worth a test.

gert

Correct, this should NOT happen.
Yes, this is a bug I detected very late in the RC releases. I tried to
fix it, but first attempts exploded in my face. And haven't had time to
dig into this further.

When --auth-gen-token is enabled, the server pushes --auth-token with
some random credential it saves for this particular session. When the
client receives --auth-token push-reply, it replaces the current
password value in the user/password storage with the token value. On
next re-authentication, the client will then send username + token value
(instead of password with expired OTP). The server then matches this
token ("password") against the locally stored token in the session object.

What happens is that when --auth-nocache is used, it basically tells the
"retrieve user credentials function" to ignore whatever is stored in the
password field (where the token now resides) in the user/password
storage. And since it realises it doesn't have a password, it asks for
it again.

This is very basically what happens. And the fix is in theory very
simple (disable --auth-nocache if server have pushed --auth-token) - but
those places I tried to disable --auth-nocache didn't work or it made
things even worse in some cases (where --auth-token was not pushed).

So I have it on my TODO list ... now that people actually do test the
--auth-gen-token feature, I'm definitely going to look into it a bit sooner.

Anyhow ... quick-fix/workaround: Don't use --auth-nocache


--
kind regards,

David Sommerseth