[Freeipa-users] OTP integrations
Andrew Holway
andrew.holway at gmail.com
Wed Apr 1 12:51:26 UTC 2015
Please could someone explain to me what is happening internally?
In my head I have the following process....
The openvpn pam module sends the username and password to pam.
Pam passes this onto sssd
sssd then does the kerberos thing
kerberos passes the password to the LDAP
some LDAP module takes the password from the database, appends on the OTP
and actually does the auth...
On 1 April 2015 at 13:15, Andrew Holway <andrew.holway at gmail.com> wrote:
>
>>> It is simple to configure OpenVPN with authentication against FreeIPA in
>> Fedora 21, all the heavy lifting is done by SSSD:
>>
>
> I have to say that this sssd / pam method is working very very well.
>
> I do however need to get my head around radius. Something for a rainy
> sunday I think :).
>
>
>
>
>>
>> # grep plugin /etc/openvpn/server.conf
>> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn
>> login USERNAME password PASSWORD"
>>
>> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55
>> /etc/pam.d/openvpn -> system-auth
>>
>> # LANG=C ipa user-show vpnuser
>> User login: vpnuser
>> First name: VPN
>> Last name: TestUser
>> Home directory: /home/vpnuser
>> Login shell: /bin/sh
>> Email address: vpnuser at example.com
>> UID: 1792600005
>> GID: 1792600005
>> Account disabled: False
>> User authentication types: otp
>> Password: True
>> Member of groups: ipausers
>> Kerberos keys available: True
>>
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> received command code: 0
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> USER: vpnuser
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> my_conv[0] query='login:' style=2
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> name match found, query/match-string ['login:', 'login'] = 'USERNAME'
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> my_conv[0] query='Password: ' style=1
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
>> Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth):
>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>> user=vpnuser
>> Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth):
>> authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
>> user=vpnuser
>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232
>> PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
>> PLUGIN_AUTH_USER_PASS_VERIFY status=0
>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS:
>> Username/Password authentication succeeded for username 'vpnuser'
>>
>>
>> --
>> / Alexander Bokovoy
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150401/f542ac87/attachment.htm>
More information about the Freeipa-users
mailing list