On Fri, Apr 24, 2020 at 7:10 AM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote:
> On 21/04/2020 20:34, Selva Nair wrote: > > Hi, > > > > On Tue, Apr 21, 2020 at 12:44 PM Vertigo Altair < > vertigo.alt...@gmail.com > > <mailto:vertigo.alt...@gmail.com>> wrote: > > > > Hi OpenVPN People, > > I have a OpenVPN server, in this server, I'm authenticating users > with my > > external program (via --auth-user-pass-verify option). There is no > problem > > in this situation. > > I want to add Two Factor Auth. with google-authenticator. > > I guess the process be like; > > A client enters these creds; > > username > > password + [OTP] > > Firstly, my external program checks if username password combination > is > > true and after google-authenticator checks if one-time-password is > true. > > How can I achieve this? I tried some cases with Google-Authenticator > but I > > could only authenticate with adding user to system.) > > > > > > I prefer to prompt for password and OTP separately using static-challenge > > instead of using some custom way of combining the two. This is how that > would > > work. > > > > In client configs add > > --auth-user-pass > > --static-challenge "Enter the authentication code (OTP) : " 1 > > > > Change the static challenge prompt to suit your needs. Then the client > will > > prompt the user for username, password and OTP in that order. If using a > GUI > > like the OpenVPN-Windows-GUI this will happen through a dialog, else on > the > > command line. > > > > On server, have a pam config file, say, /etc/pam/ovpn with appropriate > stacked > > auth entries -- as you would do for using google-authenticator for local > > logins. Assuming your pam set up will prompt for login:, password: and > pin:, > > on the server config file you will need > > > > plugin </path/to/openvpn-auth-pam-plugin.so> "ovpn login: USERNAME > password: > > PASSWORD pin: OTP" > > > > For PAM, that will be more tricky than you would expect. > > FreeIPA supports enabling OTP on only some accounts (or the reverse, > disabling > it on specific accounts). But it does the split between password ("First > Factor:") and the OTP ("Second Factor:") where the second factor can even > be > set to be optional. An example: > > $ su - user > Passord: > > $ su - otpuser > First Factor: > Second Factor: > > $ su - otpoptional > First Factor: > Second Factor (optional): > > So in this case, it would be needed to use the dynamic challenge-response > protocol, where it gets a bit more complicated for the auth-pam module. > Should we do it? We probably should. > > IIRC, the PAM module as it is today should support getting the OTP token > as an > extension to the password. If it is optional, it would pass on just a > correct > password or a correct password with a correct OTP added at the end - as you > would expect. > Not sure what you mean by that. The PAM plugin in 2.5 perfectly supports static challenge protocol and password and otp are passed on to pam conversation separately, not as otp added to password. Stacked pam modules with one asking for username and password, followed by another asking for otp works with no further modifications. Pretty easy to set up for anyone familiar with PAM. But yes, we should extend the plugin to support dynamic challenge. We have to get the pending patch for sending auth-failure "reason" from plugins back to client first -- currently only management client-auth can do that. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
