Hello everyone, I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled.
FreeIPA Setup: CentOS 7.5 FreeIPA 4.5.4 HBAC Service: openvpn HBAC Rule: [root@ipa ~]# ipa hbacrule-show openvpn_access Rule name: openvpn_access Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. Enabled: TRUE Users: <users> Hosts: vpnhost.localdomain.local Services: openvpn User account: [root@ipa ~]# ipa user-show <omitted> User login: <omitted> First name: <omitted> Last name: <omitted> Home directory: /home/<omitted> Login shell: /bin/bash Principal name: <omitted> Principal alias: <omitted> Email address: <omitted> UID: 1909600003 GID: 1909600003 User authentication types: otp Certificate: <omitted> Account disabled: False Password: True Member of groups: vpn_users Member of HBAC rule: openvpn_access Indirect Member of HBAC rule: user_ipa_access Kerberos keys available: True OpenVPN server: /etc/pam.d/openvpn #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts. Eric _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
