[Freeipa-users] OTP integrations

Dmitri Pal dpal at redhat.com
Wed Apr 1 16:21:18 UTC 2015 

On 04/01/2015 11:46 AM, Andrew Holway wrote:
> Thanks Alexander.
>
> What happens to the passwords? Are they hashed by Kerberos?

Yes. But stored in LDAP.

>
> On 1 April 2015 at 15:14, Alexander Bokovoy <abokovoy at redhat.com 
> <mailto:abokovoy at redhat.com>> wrote:
>
>     On Wed, 01 Apr 2015, Andrew Holway wrote:
>
>         Please could someone explain to me what is happening internally?
>
>         In my head I have the following process....
>
>         The openvpn pam module sends the username and password to pam.
>         Pam passes this onto sssd
>         sssd then does the kerberos thing
>         kerberos passes the password to the LDAP
>
>     KDC passes request to ipa-otpd daemon (our RADIUS-like proxy)
>     which then
>     binds to IPA LDAP to verify the password
>
>         some LDAP module takes the password from the database, appends
>         on the OTP
>         and actually does the auth...
>
>     Yes, the rest is correct.
>
>     http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture
>     from on "the Kerberos thing"
>
>
>
>
>         On 1 April 2015 at 13:15, Andrew Holway
>         <andrew.holway at gmail.com <mailto:andrew.holway at gmail.com>> wrote:
>
>
>                      It is simple to configure OpenVPN with
>                     authentication against FreeIPA in
>
>                 Fedora 21, all the heavy lifting is done by SSSD:
>
>
>             I have to say that this sssd / pam method is working very
>             very well.
>
>             I do however need to get my head around radius. Something
>             for a rainy
>             sunday I think :).
>
>
>
>
>
>                 # grep plugin /etc/openvpn/server.conf
>                 plugin
>                 /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
>                 "openvpn
>                 login USERNAME password PASSWORD"
>
>                 # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root
>                 root 11 Apr  1 10:55
>                 /etc/pam.d/openvpn -> system-auth
>
>                 # LANG=C ipa user-show vpnuser
>                  User login: vpnuser
>                  First name: VPN
>                  Last name: TestUser
>                  Home directory: /home/vpnuser
>                  Login shell: /bin/sh
>                  Email address: vpnuser at example.com
>                 <mailto:vpnuser at example.com>
>                  UID: 1792600005
>                  GID: 1792600005
>                  Account disabled: False
>                  User authentication types: otp
>                  Password: True
>                  Member of groups: ipausers
>                  Kerberos keys available: True
>
>                 Apr 01 11:24:50 ipa.example.com
>                 <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
>                 BACKGROUND:
>                 received command code: 0
>                 Apr 01 11:24:50 ipa.example.com
>                 <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
>                 BACKGROUND:
>                 USER: vpnuser
>                 Apr 01 11:24:50 ipa.example.com
>                 <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
>                 BACKGROUND:
>                 my_conv[0] query='login:' style=2
>                 Apr 01 11:24:50 ipa.example.com
>                 <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
>                 BACKGROUND:
>                 name match found, query/match-string ['login:',
>                 'login'] = 'USERNAME'
>                 Apr 01 11:24:50 ipa.example.com
>                 <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
>                 BACKGROUND:
>                 my_conv[0] query='Password: ' style=1
>                 Apr 01 11:24:50 ipa.example.com
>                 <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
>                 BACKGROUND:
>                 name match found, query/match-string ['Password: ',
>                 'password'] = 'PASSWORD'
>                 Apr 01 11:24:50 ipa.example.com
>                 <http://ipa.example.com> openvpn[29724]:
>                 pam_unix(openvpn:auth):
>                 authentication failure; logname= uid=0 euid=0 tty=
>                 ruser= rhost=
>                 user=vpnuser
>                 Apr 01 11:24:53 ipa.example.com
>                 <http://ipa.example.com> openvpn[29724]:
>                 pam_sss(openvpn:auth):
>                 authentication success; logname= uid=0 euid=0 tty=
>                 ruser= rhost=
>                 user=vpnuser
>                 Apr 01 11:24:55 ipa.example.com
>                 <http://ipa.example.com> openvpn[29732]:
>                 MY-IP_ADDRESS:50232
>                 PLUGIN_CALL: POST
>                 /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
>                 <http://openvpn-plugin-auth-pam.so/>
>                 PLUGIN_AUTH_USER_PASS_VERIFY status=0
>                 Apr 01 11:24:55 ipa.example.com
>                 <http://ipa.example.com> openvpn[29732]:
>                 MY-IP-ADDRESS:50232 TLS:
>                 Username/Password authentication succeeded for
>                 username 'vpnuser'
>
>
>                 --
>                 / Alexander Bokovoy
>
>                 --
>                 Manage your subscription for the Freeipa-users mailing
>                 list:
>                 https://www.redhat.com/mailman/listinfo/freeipa-users
>                 Go to http://freeipa.org for more info on the project
>
>
>
>
>     -- 
>     / Alexander Bokovoy
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150401/ad7cd2f2/attachment.htm>

More information about the Freeipa-users mailing list