Page 1 of 1
OpenVPN TOTP prompt
Posted: Fri Oct 20, 2017 1:02 pm
by moxom
Hi everybody,
I'm trying to configure the company OpenVPN installation to support TOTP tokens in addition to our current LDAP authentication. I've gotten both authentication methods to work separately, but OpenVPN doesn't automatically prompt for the TOTP key if I have enabled both plugins (using openvpn-auth-ldap & openvpn-otp).
Can anyone point me in the right direction regarding implementing the second authentication prompt? I've searched a bit myself and figured out the i possibly need a post-auth script, but I'm not sure how I would execute this script in the OpenVPN configuration?
Hope someone can help me out
Thanks in advance!
Re: OpenVPN TOTP prompt
Posted: Mon Jun 19, 2023 4:48 pm
by neandertaler
Hi I have exactly the same issue.
Code: Select all
openvpn --version
OpenVPN 2.5.6 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
library versions: OpenSSL 1.1.1l 24 Aug 2021 SUSE release 150400.7.37.1, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
PAM config:
Code: Select all
cat /etc/pam.d/openvpn
#%PAM-1.0
auth requisite pam_oath.so usersfile=/etc/oath/users_ssh.oath window=30 digits=6
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
openvpn server conf (only relevant):
Code: Select all
username-as-common-name
#plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn"
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
client conf (relevant part):
Code: Select all
auth-user-pass
#static-challenge "PIN" 1
The client version is exactly the same as the server version (it shouldn't be a version mismatch issue). I tried to run server and client as nobody enable/disabled, nothing helped. If I enable the static-challange option on client side, the prompt is displayed, but the input isn't handled (it isn't passed toward PAM). However the user/password login is working fine, which is also handled by PAM.
The PAM configuration openvpn is correct, as the same works with SSH well.
Re: OpenVPN TOTP prompt
Posted: Sat Aug 31, 2024 11:55 am
by meres
Hello, did you manage to get it work?
I' ve been struggling a lot and have the same behavior, PAM/LDAP works fine, but when adding oath I get authentication failures
Re: OpenVPN TOTP prompt
Posted: Sat Aug 31, 2024 2:33 pm
by meres
After many hours I figured it out, in my case I had to change "pin" to "One-time".
pam-oath queries for "query='One-time password (OATH) for `USERxxx': ' style=1", so "pin" did not match the query of the module.