Use PAM multi factor auth only for selected users (Google Authenticator)

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
tuxmartin
OpenVpn Newbie
Posts: 4
Joined: Mon Mar 23, 2020 2:35 pm

Use PAM multi factor auth only for selected users (Google Authenticator)

Post by tuxmartin » Mon Mar 23, 2020 2:43 pm

Hi,
I have OpenVPN server with multi factor authentication using Google Authenticator.

It works, but all users must use multi factor authentication.
I would like to have some users without multi factor authentication.
I need to configure multi factor authentication per user, not per server.
Is it possible (client-config-dir or someting similar)?

My OpenVPN server config:

server.conf

# ----- Google Authenticator multi factor authentication
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
# ----- Google Authenticator multi factor authentication


tls-server
port 12345
proto tcp
dev tun
server 10.16.11.0 255.255.255.0
duplicate-cn
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
tls-version-min 1.0
cipher AES-128-CBC
auth SHA256
reneg-sec 60
log-append /var/log/openvpn.log
status /var/run/vpn.status 10
user nobody
group nogroup
keepalive 30 120
comp-lzo
verb 3
persist-key
persist-tun
client-config-dir /etc/openvpn/ccd
reneg-sec 0


Everything else is according to the instructions: https://medium.com/we-have-all-been-the ... 4e4acc2852

Thanks for help.

tuxmartin
OpenVpn Newbie
Posts: 4
Joined: Mon Mar 23, 2020 2:35 pm

Re: Use PAM multi factor auth only for selected users (Google Authenticator)

Post by tuxmartin » Mon Mar 23, 2020 3:30 pm

I found a partial solution:

Code: Select all

# cat /etc/pam.d/openvpn
account    [success=1 new_authtok_reqd=done default=ignore]	pam_unix.so 
account    requisite                 pam_deny.so
account    required                  pam_permit.so
auth       sufficient                pam_exec.so expose_authtok /bin/gauth-skip-check
auth       required                  pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass

Code: Select all

#/bin/gauth-skip-check 
#!/bin/bash
cat /etc/openvpn/gauth-skip-users | grep -q ${PAM_USER}

Now user enter username and any string to password. If username is in file /etc/openvpn/gauth-skip-users, login is accepted.

But I still must have auth-user-pass in user config.
How can I do it without auth-user-pass?
auth-user-pass accepts file with user and password. But I need only one file for client.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7131
Joined: Fri Jun 03, 2016 1:17 pm

Re: Use PAM multi factor auth only for selected users (Google Authenticator)

Post by TinCanTech » Mon Mar 23, 2020 6:35 pm

tuxmartin wrote:
Mon Mar 23, 2020 2:43 pm
I need to configure multi factor authentication per user, not per server.
Think again.

tuxmartin
OpenVpn Newbie
Posts: 4
Joined: Mon Mar 23, 2020 2:35 pm

Re: Use PAM multi factor auth only for selected users (Google Authenticator)

Post by tuxmartin » Tue Mar 24, 2020 12:04 am

TinCanTech wrote:
Mon Mar 23, 2020 6:35 pm
tuxmartin wrote:
Mon Mar 23, 2020 2:43 pm
I need to configure multi factor authentication per user, not per server.
Think again.
How do you mean?

I have 15 VPN users.
For 10 (normal users) of them I need multi factor authentication.

But for the 5 remaining users (admins, servers) I do not want multi factor authentication.

For simplicity I would like to have only one running OpenVPN server.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7131
Joined: Fri Jun 03, 2016 1:17 pm

Re: Use PAM multi factor auth only for selected users (Google Authenticator)

Post by TinCanTech » Tue Mar 24, 2020 12:25 am

Did you think at all ?

tuxmartin
OpenVpn Newbie
Posts: 4
Joined: Mon Mar 23, 2020 2:35 pm

Re: Use PAM multi factor auth only for selected users (Google Authenticator)

Post by tuxmartin » Tue Mar 24, 2020 10:38 am

TinCanTech wrote:
Tue Mar 24, 2020 12:25 am
Did you think at all ?
Yes, of course!

Is possible to enable multifactor auth in client-config-dir? Or do I have to have two vpn servers?

Post Reply