Openvpn 2.4.6 + pam plugin + FreeIPA OTP
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Tue Nov 06, 2018 3:00 pm
Openvpn 2.4.6 + pam plugin + FreeIPA OTP
Hello everyone,
I'm not sure if I am in the correct forum or not. But, I hope I am. Anyway, I am trying to get OTP to work the openvpn using FreeIPA for user account management. Has anyone ever set this up before?
I have tried a multitude of things with the openvpn pam shared object:
plugin openvpn-plugin-auth-pam.so "openvpn" (combining password+otp in one line)
plugin openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD" (combining passowrd+otp in one line)
plugin openvpn-plugin-auth-pam.so "openvpn login USERNAME 'First Factor' PASSWORD 'Second Factor' OTP" (setting static-challeng in client.conf)
If I remove otp from the user account, I can login just fine. Just trying to wrap my head around the plugin so that it will work with OTP.
Any help is greatly appreciated.
I'm not sure if I am in the correct forum or not. But, I hope I am. Anyway, I am trying to get OTP to work the openvpn using FreeIPA for user account management. Has anyone ever set this up before?
I have tried a multitude of things with the openvpn pam shared object:
plugin openvpn-plugin-auth-pam.so "openvpn" (combining password+otp in one line)
plugin openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD" (combining passowrd+otp in one line)
plugin openvpn-plugin-auth-pam.so "openvpn login USERNAME 'First Factor' PASSWORD 'Second Factor' OTP" (setting static-challeng in client.conf)
If I remove otp from the user account, I can login just fine. Just trying to wrap my head around the plugin so that it will work with OTP.
Any help is greatly appreciated.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Mar 26, 2018 8:25 am
Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP
it works with auth-user-pass
this is content of my openvpn pam file:
Then open VPN will ask your for a password which have to be "password + OTP" with no space, but take care on renegotiation command from server conf.
this is content of my openvpn pam file:
Code: Select all
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
>>>>
Last edited by Pippin on Wed Jul 01, 2020 2:21 pm, edited 1 time in total.
Reason: Formatting
Reason: Formatting
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Jan 28, 2020 7:39 pm
Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP
Is this accurate, it will correctly work without doing the "First Factor" then "Second Factor" login req?
What I am trying to accomplish is to at tokens for VPN users to my FreeIPA server, but only require the token on certain services using HBAC, while having more relaxed login for other services.
So far I've been having issues using the OpenVPN PAM plugin because using that to talk to freeipa prompts for the password and token separately.
Others have suggested using the openvpn ldap plugin but that won't allow for HBAC configuration.
What I am trying to accomplish is to at tokens for VPN users to my FreeIPA server, but only require the token on certain services using HBAC, while having more relaxed login for other services.
So far I've been having issues using the OpenVPN PAM plugin because using that to talk to freeipa prompts for the password and token separately.
Others have suggested using the openvpn ldap plugin but that won't allow for HBAC configuration.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Jan 28, 2020 7:39 pm
Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP
I know this post is rather old, has anybody successfully gotten OpenVPN server working with PAM auth against a FreeIPA server with OTP?
I am trying to leverage pam auth and HBAC so VPN auth will require a token, but have more relaxed auth requirements on other services. So far I haven't been able to get it working.
I am trying to leverage pam auth and HBAC so VPN auth will require a token, but have more relaxed auth requirements on other services. So far I haven't been able to get it working.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Jun 10, 2020 6:38 pm
Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP
I know its been a few months since the last post but I too am struggling to make this scenario work.
I tried configuring my setup as described in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/. But as described above I can not authenticate with password + OTP token. IPA logs show 'Invalid Credentials'
If I deselect the OTP requirement for the user, authentication is successful with password only.
I read elsewhere to configure SSSD to accept 2FA value as part of the password field because OpenVPN has no way to ask multiple prompts for PAM conversation. But I'm not sure how to make that configuration.
I tried configuring my setup as described in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/. But as described above I can not authenticate with password + OTP token. IPA logs show 'Invalid Credentials'
If I deselect the OTP requirement for the user, authentication is successful with password only.
I read elsewhere to configure SSSD to accept 2FA value as part of the password field because OpenVPN has no way to ask multiple prompts for PAM conversation. But I'm not sure how to make that configuration.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Jun 10, 2020 6:38 pm
Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP
I figured it out!
The key was using a later version of sssd. In version 2.0.x, authentication prompting configurartion became available – re: https://sssd.io/docs/design_pages/promp ... ation.html
Unfortunately my OpenVPN instance was running on Centos 7.8 which only supports up to version 1.16. So I spun up a Centos 8 VM with sssd version 2.2.3 already loaded. Fedora 29 or higher would also work.
On the Centos 8 VM I installed & configured openVPN and free-ipa-client. I then configured sssd to combine password & OTP token into one value.
Add the following sections to the bottom of the file:
Change the prompting words as needed. It really only shows up when testing from the cli. But most importantly I learned after many hours that BOTH sections are required in the order shown.
Next, configure pam.d by editing the file used for the OpenVPN service – in my case the file is named openvpn
Add the following:
Restart sssd and openvpn
I also followed the steps descibed in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/ to configure FreeIPA.
To test locally:
Everything worked!
The key was using a later version of sssd. In version 2.0.x, authentication prompting configurartion became available – re: https://sssd.io/docs/design_pages/promp ... ation.html
Unfortunately my OpenVPN instance was running on Centos 7.8 which only supports up to version 1.16. So I spun up a Centos 8 VM with sssd version 2.2.3 already loaded. Fedora 29 or higher would also work.
On the Centos 8 VM I installed & configured openVPN and free-ipa-client. I then configured sssd to combine password & OTP token into one value.
Code: Select all
vi /etc/sssd/sssd.conf
Code: Select all
[prompting/password]
password_prompt = Please enter LDAP password:
[prompting/2fa]
single_prompt = True
first_prompt = Please enter LDAP password + OTP token value:
Next, configure pam.d by editing the file used for the OpenVPN service – in my case the file is named openvpn
Code: Select all
vi /etc/pam.d/openvpn
Code: Select all
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so
auth required pam_deny.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
I also followed the steps descibed in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/ to configure FreeIPA.
To test locally:
- Configure a user in FreeIPA to use password only. In my case the user id is test5
- Switch to a local user on the server that does not have sudo privileges
Code: Select all
su testuser
- Now attempt to switch to the ipa user
Code: Select all
su test5
- You should be prompted - Please enter LDAP password:
- Confirm you can log in with password only and then exit back to testuser
- Now configure the user (test5) in FreeIPA to use password + OTP
- Create a token in FreeIPA for user test5
- Attempt to switch to the ipa user again
Code: Select all
su test5
- Now you should be prompted - Please enter LDAP password + OTP token value:
- Try logging in with password only. The attempt should fail.
- Attempt to switch to the ipa user once more
Code: Select all
su test5
- Try logging in again with the password + OTP token value. (I used Google Authenticator to generate the token value). Login should be successful
Everything worked!