Marcus escreveu: > Hi Folks, > > since pam doesn't work for me on ubuntu, as already stated on the > user-list, I decided to take a different approach towards > authentication. There is a python module called pyrad > (http://www.wiggy.net/code/pyrad/), which is able to authenticate a user > with a username and a password against a radius-server. > > The goal is to put a line like > plugin /path/to/my-auth-script.py > in openvpn-server.conf and take the user + pass which the client > provides via the "auth-user-pass"-Directive in it's client.conf. > > I already read the README file in the plugin folder of the OpenVPN > source distribution, and also browsed through the plugin.h-file but I'm > not that good in reading header-files. > > An authentication-script could look something like this: > > > #!/usr/bin/python > > import sys > import socket > import pyrad.packet > from pyrad.client import Client > from pyrad.dictionary import Dictionary > > args = sys.argv[1:] # drop first entry (progpath) > if len(args) != 2: > raise SystemExit("expected two parameters (username and password)") > > srv=Client(server="server_ip", > secret="some_s3cret", > dict=Dictionary("dictionary")) > > req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,User_Name=sys.argv[1]) > > req["User-Password"]=req.PwCrypt(sys.argv[2]) > > > req["NAS-IP-Address"] = "The_Nas_IP" > req["NAS-Port"] = 0 > req["Service-Type"] = "Login-User" > req["NAS-Identifier"] = "openvpn" > > try: > # print "Sending authentication request" > reply=srv.SendPacket(req) > except pyrad.client.Timeout: > print "RADIUS server does not reply" > sys.exit(1) > except socket.error, error: > print "Network error: " + error[1] > sys.exit(1) > > if reply.code==pyrad.packet.AccessAccept: > sys.exit(0) > else: > sys.exit(1) > > > Can anyone tell me (pretty please with sugar on top) how to put this > together? > What I don't know yet is: > 1. What is the script supposed to return? 0 for authenticated and 1 for > not authenticated? > 2. How are arguments (username/password) passed to the plugin? > 3. How can I use a python-script instead of a *.so-File or a perl-Script? > > I hope it's not a big deal to get this set-up running. > > I recognized, that easy authentication via a MS-IAS-Radius server IS an > issue in the openvpn-community. This solution would be very simple to > set up and I'd document it in the official wiki to share with the world, > in return. > > Best regards, Marcus > > My client.conf looks like this: > > client > dev tun > proto udp > remote SOME_IP 1194 > route-method exe > route-delay 2 > resolv-retry infinite > nobind > persist-key > persist-tun > > auth-user-pass > ca keys/ca.crt > > comp-lzo > verb 3 > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > Marcus,
An openvpn auth plugin, intercepts the
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY callback, which is internal to
openvpn. So your plugin must be a shared library (.so) program that
"fits" with openvpn. This plugin uses the openvpn_plugin.h C header and,
as i'm aware of, can be written only in C and C++. I do not know any
other openvpn plugin written in other language. I do had written one
myself to make autentication directly from /etc/shadow files, as an
alternative to authenticate with PAM. See http://auth-passwd.sf.net. If
you want to use a .py script, it's much simpler to use the
auth-user-pass-verify that receive a script as argumen. this is script
is given a path to a temporary file that contain the username and the
password priveded by the client, one at a line. This is more insecure
than using a plugin, but for your case it might suit.
My regards,
--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 6.10 Edgy Eft
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
signature.asc
Description: OpenPGP digital signature
