PAM authentication with password + OTP token
Posted: Tue Jun 30, 2020 9:29 pm
I'm trying to implement PAM authentication of an OpenVPN server for users stored in an IPA server. My use case requires PAM authentication as opposed to LDAP authentication.
In testing, a user configured in IPA to authenticate with password only can successfully authenticate. But authentication fails when the IPA user is configured to authenticate with password + OTP token.
As described in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/
I configured /etc/pam.d/openvpn like this:
But authentication fails with the IPA log showing invalid credentials.
I read elsewhere to configure SSSD to accept 2FA value as part of the password field because OpenVPN has no way to ask multiple prompts for PAM conversation. But I'm not sure how to make that configuration.
In testing, a user configured in IPA to authenticate with password only can successfully authenticate. But authentication fails when the IPA user is configured to authenticate with password + OTP token.
As described in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/
I configured /etc/pam.d/openvpn like this:
Code: Select all
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so otp_in_password
auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
I read elsewhere to configure SSSD to accept 2FA value as part of the password field because OpenVPN has no way to ask multiple prompts for PAM conversation. But I'm not sure how to make that configuration.