Hi, On Tue, Apr 21, 2020 at 12:44 PM Vertigo Altair <[email protected]> wrote:
> Hi OpenVPN People, > I have a OpenVPN server, in this server, I'm authenticating users with my > external program (via --auth-user-pass-verify option). There is no problem > in this situation. > I want to add Two Factor Auth. with google-authenticator. > I guess the process be like; > A client enters these creds; > username > password + [OTP] > Firstly, my external program checks if username password combination is > true and after google-authenticator checks if one-time-password is true. > How can I achieve this? I tried some cases with Google-Authenticator but I > could only authenticate with adding user to system.) > I prefer to prompt for password and OTP separately using static-challenge instead of using some custom way of combining the two. This is how that would work. In client configs add --auth-user-pass --static-challenge "Enter the authentication code (OTP) : " 1 Change the static challenge prompt to suit your needs. Then the client will prompt the user for username, password and OTP in that order. If using a GUI like the OpenVPN-Windows-GUI this will happen through a dialog, else on the command line. On server, have a pam config file, say, /etc/pam/ovpn with appropriate stacked auth entries -- as you would do for using google-authenticator for local logins. Assuming your pam set up will prompt for login:, password: and pin:, on the server config file you will need plugin </path/to/openvpn-auth-pam-plugin.so> "ovpn login: USERNAME password: PASSWORD pin: OTP" That instructs the plugin to answer the prompts "login:" , "password:" and "pin:" by the username, password and static challenge response provided by the client. Replace the prompt text by the actual prompts that the pam setup will issue. Selva
_______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
