Hi everybody,
I'm trying to configure the company OpenVPN installation to support TOTP tokens in addition to our current LDAP authentication. I've gotten both authentication methods to work separately, but OpenVPN doesn't automatically prompt for the TOTP key if I have enabled both plugins (using openvpn-auth-ldap & openvpn-otp).
Can anyone point me in the right direction regarding implementing the second authentication prompt? I've searched a bit myself and figured out the i possibly need a post-auth script, but I'm not sure how I would execute this script in the OpenVPN configuration?
Hope someone can help me out
Thanks in advance!
OpenVPN TOTP prompt
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 1
- Joined: Mon Jun 19, 2023 4:36 pm
Re: OpenVPN TOTP prompt
Hi I have exactly the same issue.
PAM config:
openvpn server conf (only relevant):
client conf (relevant part):
The client version is exactly the same as the server version (it shouldn't be a version mismatch issue). I tried to run server and client as nobody enable/disabled, nothing helped. If I enable the static-challange option on client side, the prompt is displayed, but the input isn't handled (it isn't passed toward PAM). However the user/password login is working fine, which is also handled by PAM.
The PAM configuration openvpn is correct, as the same works with SSH well.
Code: Select all
openvpn --version
OpenVPN 2.5.6 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
library versions: OpenSSL 1.1.1l 24 Aug 2021 SUSE release 150400.7.37.1, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no
Code: Select all
cat /etc/pam.d/openvpn
#%PAM-1.0
auth requisite pam_oath.so usersfile=/etc/oath/users_ssh.oath window=30 digits=6
auth requisite pam_nologin.so
auth include common-auth
account requisite pam_nologin.so
account include common-account
password include common-password
session required pam_loginuid.so
session include common-session
session optional pam_lastlog.so silent noupdate showfailed
Code: Select all
username-as-common-name
#plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn"
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
Code: Select all
auth-user-pass
#static-challenge "PIN" 1
The PAM configuration openvpn is correct, as the same works with SSH well.