Openvpn 2.4.6 + pam plugin + FreeIPA OTP

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
l0nedigit
OpenVpn Newbie
Posts: 3
Joined: Tue Nov 06, 2018 3:00 pm

Openvpn 2.4.6 + pam plugin + FreeIPA OTP

Post by l0nedigit » Tue Nov 06, 2018 3:07 pm

Hello everyone,

I'm not sure if I am in the correct forum or not. But, I hope I am. Anyway, I am trying to get OTP to work the openvpn using FreeIPA for user account management. Has anyone ever set this up before?

I have tried a multitude of things with the openvpn pam shared object:
plugin openvpn-plugin-auth-pam.so "openvpn" (combining password+otp in one line)
plugin openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD" (combining passowrd+otp in one line)
plugin openvpn-plugin-auth-pam.so "openvpn login USERNAME 'First Factor' PASSWORD 'Second Factor' OTP" (setting static-challeng in client.conf)

If I remove otp from the user account, I can login just fine. Just trying to wrap my head around the plugin so that it will work with OTP.

Any help is greatly appreciated.

ccociug
OpenVpn Newbie
Posts: 2
Joined: Mon Mar 26, 2018 8:25 am

Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP

Post by ccociug » Thu Nov 07, 2019 1:28 pm

it works with auth-user-pass

this is content of my openvpn pam file:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
>>>>
Then open VPN will ask your for a password which have to be "password + OTP" with no space, but take care on renegotiation command from server conf.

clags
OpenVpn Newbie
Posts: 4
Joined: Tue Jan 28, 2020 7:39 pm

Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP

Post by clags » Tue Jan 28, 2020 7:40 pm

Is this accurate, it will correctly work without doing the "First Factor" then "Second Factor" login req?

What I am trying to accomplish is to at tokens for VPN users to my FreeIPA server, but only require the token on certain services using HBAC, while having more relaxed login for other services.

So far I've been having issues using the OpenVPN PAM plugin because using that to talk to freeipa prompts for the password and token separately.

Others have suggested using the openvpn ldap plugin but that won't allow for HBAC configuration.

clags
OpenVpn Newbie
Posts: 4
Joined: Tue Jan 28, 2020 7:39 pm

Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP

Post by clags » Mon Feb 03, 2020 8:15 pm

I know this post is rather old, has anybody successfully gotten OpenVPN server working with PAM auth against a FreeIPA server with OTP?

I am trying to leverage pam auth and HBAC so VPN auth will require a token, but have more relaxed auth requirements on other services. So far I haven't been able to get it working.

Post Reply