Openvpn 2.4.6 + pam plugin + FreeIPA OTP

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
l0nedigit
OpenVpn Newbie
Posts: 3
Joined: Tue Nov 06, 2018 3:00 pm

Openvpn 2.4.6 + pam plugin + FreeIPA OTP

Post by l0nedigit » Tue Nov 06, 2018 3:07 pm

Hello everyone,

I'm not sure if I am in the correct forum or not. But, I hope I am. Anyway, I am trying to get OTP to work the openvpn using FreeIPA for user account management. Has anyone ever set this up before?

I have tried a multitude of things with the openvpn pam shared object:
plugin openvpn-plugin-auth-pam.so "openvpn" (combining password+otp in one line)
plugin openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD" (combining passowrd+otp in one line)
plugin openvpn-plugin-auth-pam.so "openvpn login USERNAME 'First Factor' PASSWORD 'Second Factor' OTP" (setting static-challeng in client.conf)

If I remove otp from the user account, I can login just fine. Just trying to wrap my head around the plugin so that it will work with OTP.

Any help is greatly appreciated.

ccociug
OpenVpn Newbie
Posts: 2
Joined: Mon Mar 26, 2018 8:25 am

Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP

Post by ccociug » Thu Nov 07, 2019 1:28 pm

it works with auth-user-pass

this is content of my openvpn pam file:

Code: Select all

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_unix.so sha512 shadow nis nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
>>>>
Then open VPN will ask your for a password which have to be "password + OTP" with no space, but take care on renegotiation command from server conf.
Last edited by Pippin on Wed Jul 01, 2020 2:21 pm, edited 1 time in total.
Reason: Formatting

clags
OpenVpn Newbie
Posts: 4
Joined: Tue Jan 28, 2020 7:39 pm

Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP

Post by clags » Tue Jan 28, 2020 7:40 pm

Is this accurate, it will correctly work without doing the "First Factor" then "Second Factor" login req?

What I am trying to accomplish is to at tokens for VPN users to my FreeIPA server, but only require the token on certain services using HBAC, while having more relaxed login for other services.

So far I've been having issues using the OpenVPN PAM plugin because using that to talk to freeipa prompts for the password and token separately.

Others have suggested using the openvpn ldap plugin but that won't allow for HBAC configuration.

clags
OpenVpn Newbie
Posts: 4
Joined: Tue Jan 28, 2020 7:39 pm

Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP

Post by clags » Mon Feb 03, 2020 8:15 pm

I know this post is rather old, has anybody successfully gotten OpenVPN server working with PAM auth against a FreeIPA server with OTP?

I am trying to leverage pam auth and HBAC so VPN auth will require a token, but have more relaxed auth requirements on other services. So far I haven't been able to get it working.

bcalder
OpenVpn Newbie
Posts: 5
Joined: Wed Jun 10, 2020 6:38 pm

Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP

Post by bcalder » Wed Jul 01, 2020 12:51 am

I know its been a few months since the last post but I too am struggling to make this scenario work.

I tried configuring my setup as described in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/. But as described above I can not authenticate with password + OTP token. IPA logs show 'Invalid Credentials'

If I deselect the OTP requirement for the user, authentication is successful with password only.

I read elsewhere to configure SSSD to accept 2FA value as part of the password field because OpenVPN has no way to ask multiple prompts for PAM conversation. But I'm not sure how to make that configuration.

bcalder
OpenVpn Newbie
Posts: 5
Joined: Wed Jun 10, 2020 6:38 pm

Re: Openvpn 2.4.6 + pam plugin + FreeIPA OTP

Post by bcalder » Sun Jul 05, 2020 9:35 pm

I figured it out!

The key was using a later version of sssd. In version 2.0.x, authentication prompting configurartion became available – re: https://sssd.io/docs/design_pages/promp ... ation.html

Unfortunately my OpenVPN instance was running on Centos 7.8 which only supports up to version 1.16. So I spun up a Centos 8 VM with sssd version 2.2.3 already loaded. Fedora 29 or higher would also work.

On the Centos 8 VM I installed & configured openVPN and free-ipa-client. I then configured sssd to combine password & OTP token into one value.

Code: Select all

vi /etc/sssd/sssd.conf
Add the following sections to the bottom of the file:

Code: Select all

[prompting/password]
password_prompt = Please enter LDAP password:

[prompting/2fa]
single_prompt = True
first_prompt = Please enter LDAP password + OTP token value:
Change the prompting words as needed. It really only shows up when testing from the cli. But most importantly I learned after many hours that BOTH sections are required in the order shown.

Next, configure pam.d by editing the file used for the OpenVPN service – in my case the file is named openvpn

Code: Select all

vi /etc/pam.d/openvpn
Add the following:

Code: Select all

auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so
auth        required      pam_deny.so
account     [default=bad  success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
Restart sssd and openvpn

I also followed the steps descibed in the link @ https://sourceforge.net/p/openvpn/mailm ... /35969399/ to configure FreeIPA.

To test locally:
  • Configure a user in FreeIPA to use password only. In my case the user id is test5
  • Switch to a local user on the server that does not have sudo privileges
  • Now attempt to switch to the ipa user
  • You should be prompted - Please enter LDAP password:
  • Confirm you can log in with password only and then exit back to testuser
  • Now configure the user (test5) in FreeIPA to use password + OTP
  • Create a token in FreeIPA for user test5
  • Attempt to switch to the ipa user again
  • Now you should be prompted - Please enter LDAP password + OTP token value:
  • Try logging in with password only. The attempt should fail.
  • Attempt to switch to the ipa user once more
  • Try logging in again with the password + OTP token value. (I used Google Authenticator to generate the token value). Login should be successful
I next tested from the OpenVPN client – with and without the OTP token.

Everything worked!

Post Reply