[Freeipa-users] OTP integrations
Andrew Holway
andrew.holway at gmail.com
Wed Apr 1 15:46:55 UTC 2015
Thanks Alexander.
What happens to the passwords? Are they hashed by Kerberos?
On 1 April 2015 at 15:14, Alexander Bokovoy <abokovoy at redhat.com> wrote:
> On Wed, 01 Apr 2015, Andrew Holway wrote:
>
>> Please could someone explain to me what is happening internally?
>>
>> In my head I have the following process....
>>
>> The openvpn pam module sends the username and password to pam.
>> Pam passes this onto sssd
>> sssd then does the kerberos thing
>> kerberos passes the password to the LDAP
>>
> KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then
> binds to IPA LDAP to verify the password
>
>> some LDAP module takes the password from the database, appends on the OTP
>> and actually does the auth...
>>
> Yes, the rest is correct.
>
> http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture
> from on "the Kerberos thing"
>
>
>
>>
>> On 1 April 2015 at 13:15, Andrew Holway <andrew.holway at gmail.com> wrote:
>>
>>
>>> It is simple to configure OpenVPN with authentication against FreeIPA
>>>>> in
>>>>>
>>>> Fedora 21, all the heavy lifting is done by SSSD:
>>>>
>>>>
>>> I have to say that this sssd / pam method is working very very well.
>>>
>>> I do however need to get my head around radius. Something for a rainy
>>> sunday I think :).
>>>
>>>
>>>
>>>
>>>
>>>> # grep plugin /etc/openvpn/server.conf
>>>> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn
>>>> login USERNAME password PASSWORD"
>>>>
>>>> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1
>>>> 10:55
>>>> /etc/pam.d/openvpn -> system-auth
>>>>
>>>> # LANG=C ipa user-show vpnuser
>>>> User login: vpnuser
>>>> First name: VPN
>>>> Last name: TestUser
>>>> Home directory: /home/vpnuser
>>>> Login shell: /bin/sh
>>>> Email address: vpnuser at example.com
>>>> UID: 1792600005
>>>> GID: 1792600005
>>>> Account disabled: False
>>>> User authentication types: otp
>>>> Password: True
>>>> Member of groups: ipausers
>>>> Kerberos keys available: True
>>>>
>>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>>> received command code: 0
>>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>>> USER: vpnuser
>>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>>> my_conv[0] query='login:' style=2
>>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>>> name match found, query/match-string ['login:', 'login'] = 'USERNAME'
>>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>>> my_conv[0] query='Password: ' style=1
>>>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>>>> name match found, query/match-string ['Password: ', 'password'] =
>>>> 'PASSWORD'
>>>> Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth):
>>>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>>>> user=vpnuser
>>>> Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth):
>>>> authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
>>>> user=vpnuser
>>>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232
>>>> PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/ope
>>>> nvpn-plugin-auth-pam.so/
>>>> PLUGIN_AUTH_USER_PASS_VERIFY status=0
>>>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232
>>>> TLS:
>>>> Username/Password authentication succeeded for username 'vpnuser'
>>>>
>>>>
>>>> --
>>>> / Alexander Bokovoy
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-users mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> Go to http://freeipa.org for more info on the project
>>>>
>>>>
>>>
>>>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150401/29a89363/attachment.htm>
More information about the Freeipa-users
mailing list