[Freeipa-users] OTP integrations
Alexander Bokovoy
abokovoy at redhat.com
Wed Apr 1 09:35:35 UTC 2015
On Tue, 31 Mar 2015, Dmitri Pal wrote:
>On 03/31/2015 05:30 PM, Andrew Holway wrote:
>>Hello FreeIPA people,
>>
>>I must say that FreeIPA v4 looks very pretty and I am looking
>>forward to trying out the new features.
>>
>>I'm wondering what application and tools can be used to authenticate
>>with the OTP in freeipa. For instance, if we wanted to set up a VPN
>>that uses it how might we go about that? Is there a common library
>>that I should look out for?
>
>With VPN you usually do the following:
>a) Pick a VPN of your choice based on features and needs you have
>b) Make sure the VPN server supports different authentication methods.
>You need at least RADIUS which is the most popular option and I would
>be surprise to find VPN server that does not talk RADIUS to actually
>do the authentication.
>c) Setup freeRADIUS server on Fedora 21/RHEL 7.1/Centos 7.1 (when it
>happens) box , configure it to do kinit authentication or pam
>authentication via SSSD against IPA, see freeRADIUS manuals for more
>details
>d) Connect VPN server to the RADIUS server
>e) Provision tokens (or hook IPA to existing OTP solution using
>another RADIUS server)
>f) Profit
>
>If you have an application that can use RADIUS in such setup you can
>use FreeIPA 2FA.
>Also see http://www.freeipa.org/page/Web_App_Authentication how to
>enable any web application to take advantage of the IPA authentication
>including 2FA.
It is simple to configure OpenVPN with authentication against FreeIPA in
Fedora 21, all the heavy lifting is done by SSSD:
# grep plugin /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD"
# LANG=C ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 11 Apr 1 10:55 /etc/pam.d/openvpn -> system-auth
# LANG=C ipa user-show vpnuser
User login: vpnuser
First name: VPN
Last name: TestUser
Home directory: /home/vpnuser
Login shell: /bin/sh
Email address: vpnuser at example.com
UID: 1792600005
GID: 1792600005
Account disabled: False
User authentication types: otp
Password: True
Member of groups: ipausers
Kerberos keys available: True
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: received command code: 0
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: USER: vpnuser
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME'
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser
Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: Username/Password authentication succeeded for username 'vpnuser'
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list