This does kind of depend on how one defines "2FA". If you define the "two factors" as a certificate and a password, then just auth-user-pass and set up the PAM plugin.
If you want MFA, where the factors are a certificate, password, *and* OTP, then you'll need to do what you're talking about with respect to OTP authentication. Just me being pedantic. :) -Joe On Mon, Jul 5, 2021 at 12:34 PM Selva Nair <selva.n...@gmail.com> wrote: > > Hi > > On Mon, Jul 5, 2021 at 11:58 AM David Mehler <dave.meh...@gmail.com> wrote: >> >> Hello, >> >> Thank you for your reply. I do not have a plugin-auth-pam I've run a >> find for it.Where would this be at, this would be perfect, espeecially >> if I'm understanding your response right each client certificate would >> then be bound to a specific username and password which would have to >> be validated serverside. > > > The plugin location may depend on the distribution. In ubuntu and debian it > may be in > /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so > > Note that you need a fairly recent version of OpenVPN (iirc 2.4.10 or later) > for the plugin to take apart the password and PIN and present it to PAM. You > will need: > > In client config: > auth-user-pass > static challenge "Challenge text (eg., Enter the auth code)" 1 > > In server config > plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login: > USERNAME Password: PASSWORD Verification OTP" > > This assumes your PAM module prompts for login:, Password: and, say, > Verification code: > (See README.auth-pam distributed with OpenVPN for how to format the > above line to match your pam setup). > > There is a lot of discussion of this in the users-list. Search the list > archive. One of the latest threads is > https://sourceforge.net/p/openvpn/mailman/message/37266238/ > > For older versions of PAM plugin which does not understand OTP, one option is > to ask the user to input the password and OTP as a single string and then > take it apart in your PAM module. In that case remove static challenge from > user config. But this is no longer required, nor recommended -- use 2.4.10+ > or 2.5.x on the server. > > Selva > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
