Page 1 of 1

PAM authentication with password + OTP token

Posted: Tue Jun 30, 2020 9:29 pm
by bcalder
I'm trying to implement PAM authentication of an OpenVPN server for users stored in an IPA server. My use case requires PAM authentication as opposed to LDAP authentication.

In testing, a user configured in IPA to authenticate with password only can successfully authenticate. But authentication fails when the IPA user is configured to authenticate with password + OTP token.

As described in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/

I configured /etc/pam.d/openvpn like this:

Code: Select all

   auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
   auth        sufficient    pam_sss.so otp_in_password
   auth        required      pam_deny.so
   account     [default=bad success=ok user_unknown=ignore] pam_sss.so
   account     required      pam_permit.so
But authentication fails with the IPA log showing invalid credentials.

I read elsewhere to configure SSSD to accept 2FA value as part of the password field because OpenVPN has no way to ask multiple prompts for PAM conversation. But I'm not sure how to make that configuration.

Re: PAM authentication with password + OTP token

Posted: Sun Jul 05, 2020 9:33 pm
by bcalder
I Fixed it!

The key was using a later version of sssd. In version 2.0.x, authentication prompting configurartion became available – re: https://sssd.io/docs/design_pages/promp ... ation.html

Unfortunately my OpenVPN instance was running on Centos 7.8 which only supports up to version 1.16. So I spun up a Centos 8 VM with sssd version 2.2.3 already loaded. Fedora 29 or higher would also work.

On the Centos 8 VM I installed & configured openVPN and free-ipa-client. I then configured sssd to combine password & OTP token into one value.

Code: Select all

vi /etc/sssd/sssd.conf
Add the following sections to the bottom of the file:

Code: Select all

[prompting/password]
password_prompt = Please enter LDAP password:

[prompting/2fa]
single_prompt = True
first_prompt = Please enter LDAP password + OTP token value:
Change the prompting words as needed. It really only shows up when testing from the cli. But most importantly I learned after many hours that BOTH sections are required in the order shown.

Next, configure pam.d by editing the file used for the OpenVPN service – in my case the file is named openvpn

Code: Select all

vi /etc/pam.d/openvpn
Add the following:

Code: Select all

auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so
auth        required      pam_deny.so
account     [default=bad  success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
Restart sssd and openvpn

I also followed the steps descibed in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/ to configure FreeIPA.

To test locally:
  • Configure a user in FreeIPA to use password only. In my case the user id is test5
  • Switch to a local user on the server that does not have sudo privileges
  • Now attempt to switch to the ipa user
  • You should be prompted - Please enter LDAP password:
  • Confirm you can log in with password only and then exit back to testuser
  • Now configure the user (test5) in FreeIPA to use password + OTP
  • Create a token in FreeIPA for user test5
  • Attempt to switch to the ipa user again
  • Now you should be prompted - Please enter LDAP password + OTP token value:
  • Try logging in with password only. The attempt should fail.
  • Attempt to switch to the ipa user once more
  • Try logging in again with the password + OTP token value. (I used Google Authenticator to generate the token value). Login should be successful
I next tested from the OpenVPN client – with and without the OTP token.

Everything worked!