Hi On Mon, Jul 5, 2021 at 11:58 AM David Mehler <dave.meh...@gmail.com> wrote:
> Hello, > > Thank you for your reply. I do not have a plugin-auth-pam I've run a > find for it.Where would this be at, this would be perfect, espeecially > if I'm understanding your response right each client certificate would > then be bound to a specific username and password which would have to > be validated serverside. > The plugin location may depend on the distribution. In ubuntu and debian it may be in /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so Note that you need a fairly recent version of OpenVPN (iirc 2.4.10 or later) for the plugin to take apart the password and PIN and present it to PAM. You will need: In client config: auth-user-pass static challenge "Challenge text (eg., Enter the auth code)" 1 In server config *plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login:USERNAME Password: PASSWORD Verification OTP"* This assumes your PAM module prompts for login:, Password: and, say, Verification code: (See README.auth-pam distributed with OpenVPN for how to format the above line to match your pam setup). There is a lot of discussion of this in the users-list. Search the list archive. One of the latest threads is https://sourceforge.net/p/openvpn/mailman/message/37266238/ For older versions of PAM plugin which does not understand OTP, one option is to ask the user to input the password and OTP as a single string and then take it apart in your PAM module. In that case remove static challenge from user config. But this is no longer required, nor recommended -- use 2.4.10+ or 2.5.x on the server. Selva
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
