Page 1 of 1
Login / Password authentication, using static key ?
Posted: Tue Feb 01, 2011 6:20 pm
by dsant
Is it possible to use Login / Password user authentication, AND static pre-shared key ?
Code: Select all
#Server
ifconfig 192.168.0.1 192.168.0.2
secret "/openvpn/static.key"
dev tun
proto udp
float
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
#Client
remote host.mydomain.com
ifconfig 192.168.0.2 192.168.0.1
secret "/openvpn/static.key"
dev tun
proto udp
float
--auth-user-pass "/openvpn/password.txt"
Re: Login / Password authentication, using static key ?
Posted: Wed Feb 02, 2011 7:31 am
by maikcat
hi there,
AFAIK yes...
better use certificates though..
ps:why you use float inside server config?
cheers,
michael.
Re: Login / Password authentication, using static key ?
Posted: Wed Feb 02, 2011 10:40 am
by dsant
!
could you tell me what's wrong in my configuration ?
(I had to use "float" because of the Router : Zyxel never again !)
Re: Login / Password authentication, using static key ?
Posted: Wed Feb 02, 2011 10:47 am
by maikcat
hi dsant,
Zyxel routers are ok...i have many openvpn setups behind different zyxels and all work fine.What problem do you have?
cheers,
michael
Re: Login / Password authentication, using static key ?
Posted: Wed Feb 02, 2011 10:58 am
by dsant
well Michael... your conf uses certificates (ca keys/ca.crt...)
. I was saying I want to use only static pre-shared keys AND login/password authentication.
(the Zyxel did not ask for login, only password. So incomplete web configuration page. Now I know)
Re: Login / Password authentication, using static key ?
Posted: Wed Feb 02, 2011 11:05 am
by maikcat
i answered quickly and then i edited my post,
thats why you saw the configs...
anyway
your original config
ifconfig 192.168.0.1 192.168.0.2
secret "/openvpn/static.key"
dev tun
proto udp
float
plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login
is fine (i would removed the float statement though) .
question:
>(the Zyxel did not ask for login, only password. So incomplete web configuration page. Now I know)
i believe you talk about the login proccess on the zyxel itself..right?
what this has to do with openvpn?
michael.
Re: Login / Password authentication, using static key ?
Posted: Wed Feb 02, 2011 11:13 am
by janjust
logins with static keys are NOT possible right now.
You can configure a server to use the pam plugin (pretty much like you did) but the client cannot be configured :
Code: Select all
# openvpn --proto udp --port 1194 --remote ... \
--ifconfig 192.168.222.2 192.168.222.1 \
--auth-user-pass --dev tun
Options error: --auth-user-pass requires --pull
Use --help for more information.
Next attempt:
Code: Select all
# openvpn --proto udp --port 1194 --remote ... \
--ifconfig 192.168.222.2 192.168.222.1 \
--auth-user-pass --dev tun --pull
Options error: Parameter --pull can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.
Use --help for more information.
but 'tls-server' is incompatible with 'secret' so you're stuck.
The best you can achieve is:
- use a regular 'server' setup
- generate a CA cert and server cert
- don't use a client certificate and specify 'client-cert-not-required' on the server side.
HTH,
JJK