[Freeipa-users] OTP integrations

Alexander Bokovoy abokovoy at redhat.com
Wed Apr 1 13:14:10 UTC 2015 

On Wed, 01 Apr 2015, Andrew Holway wrote:
>Please could someone explain to me what is happening internally?
>
>In my head I have the following process....
>
>The openvpn pam module sends the username and password to pam.
>Pam passes this onto sssd
>sssd then does the kerberos thing
>kerberos passes the password to the LDAP
KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then
binds to IPA LDAP to verify the password
>some LDAP module takes the password from the database, appends on the OTP
>and actually does the auth...
Yes, the rest is correct.

http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture
from on "the Kerberos thing"

>
>
>On 1 April 2015 at 13:15, Andrew Holway <andrew.holway at gmail.com> wrote:
>
>>
>>>>  It is simple to configure OpenVPN with authentication against FreeIPA in
>>> Fedora 21, all the heavy lifting is done by SSSD:
>>>
>>
>> I have to say that this sssd / pam method is working very very well.
>>
>> I do however need to get my head around radius. Something for a rainy
>> sunday I think :).
>>
>>
>>
>>
>>>
>>> # grep plugin /etc/openvpn/server.conf
>>> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn
>>> login USERNAME password PASSWORD"
>>>
>>> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr  1 10:55
>>> /etc/pam.d/openvpn -> system-auth
>>>
>>> # LANG=C ipa user-show vpnuser
>>>  User login: vpnuser
>>>  First name: VPN
>>>  Last name: TestUser
>>>  Home directory: /home/vpnuser
>>>  Login shell: /bin/sh
>>>  Email address: vpnuser at example.com
>>>  UID: 1792600005
>>>  GID: 1792600005
>>>  Account disabled: False
>>>  User authentication types: otp
>>>  Password: True
>>>  Member of groups: ipausers
>>>  Kerberos keys available: True
>>>
>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>> received command code: 0
>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>> USER: vpnuser
>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>> my_conv[0] query='login:' style=2
>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>> name match found, query/match-string ['login:', 'login'] = 'USERNAME'
>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>> my_conv[0] query='Password: ' style=1
>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>> name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
>>> Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth):
>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>>> user=vpnuser
>>> Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth):
>>> authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
>>> user=vpnuser
>>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232
>>> PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
>>> PLUGIN_AUTH_USER_PASS_VERIFY status=0
>>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS:
>>> Username/Password authentication succeeded for username 'vpnuser'
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>> --
>>> Manage your subscription for the Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info on the project
>>>
>>
>>

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list