OpenVPN TOTP prompt

[moxom]

Hi everybody,

I'm trying to configure the company OpenVPN installation to support TOTP tokens in addition to our current LDAP authentication. I've gotten both authentication methods to work separately, but OpenVPN doesn't automatically prompt for the TOTP key if I have enabled both plugins (using openvpn-auth-ldap & openvpn-otp).

Can anyone point me in the right direction regarding implementing the second authentication prompt? I've searched a bit myself and figured out the i possibly need a post-auth script, but I'm not sure how I would execute this script in the OpenVPN configuration?

Hope someone can help me out


Thanks in advance!

[neandertaler]

Hi I have exactly the same issue.

Code: Select all

openvpn --version
OpenVPN 2.5.6 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022
library versions: OpenSSL 1.1.1l  24 Aug 2021 SUSE release 150400.7.37.1, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

PAM config:

Code: Select all

cat /etc/pam.d/openvpn
#%PAM-1.0
auth        requisite   pam_oath.so usersfile=/etc/oath/users_ssh.oath window=30 digits=6 
auth        requisite   pam_nologin.so
auth        include     common-auth
account     requisite   pam_nologin.so
account     include     common-account
password    include     common-password
session     required    pam_loginuid.so
session     include     common-session
session     optional    pam_lastlog.so   silent noupdate showfailed

openvpn server conf (only relevant):

Code: Select all

username-as-common-name
#plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn"
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

client conf (relevant part):

Code: Select all

auth-user-pass
#static-challenge "PIN" 1

The client version is exactly the same as the server version (it shouldn't be a version mismatch issue). I tried to run server and client as nobody enable/disabled, nothing helped. If I enable the static-challange option on client side, the prompt is displayed, but the input isn't handled (it isn't passed toward PAM). However the user/password login is working fine, which is also handled by PAM.
The PAM configuration openvpn is correct, as the same works with SSH well.

[meres]

Hello, did you manage to get it work?
I' ve been struggling a lot and have the same behavior, PAM/LDAP works fine, but when adding oath I get authentication failures

[meres]

After many hours I figured it out, in my case I had to change "pin" to "One-time".
pam-oath queries for "query='One-time password (OATH) for `USERxxx': ' style=1", so "pin" did not match the query of the module.