[Freeipa-users] OTP integrations
Dmitri Pal
dpal at redhat.com
Wed Apr 1 16:21:18 UTC 2015
On 04/01/2015 11:46 AM, Andrew Holway wrote:
> Thanks Alexander.
>
> What happens to the passwords? Are they hashed by Kerberos?
Yes. But stored in LDAP.
>
> On 1 April 2015 at 15:14, Alexander Bokovoy <abokovoy at redhat.com
> <mailto:abokovoy at redhat.com>> wrote:
>
> On Wed, 01 Apr 2015, Andrew Holway wrote:
>
> Please could someone explain to me what is happening internally?
>
> In my head I have the following process....
>
> The openvpn pam module sends the username and password to pam.
> Pam passes this onto sssd
> sssd then does the kerberos thing
> kerberos passes the password to the LDAP
>
> KDC passes request to ipa-otpd daemon (our RADIUS-like proxy)
> which then
> binds to IPA LDAP to verify the password
>
> some LDAP module takes the password from the database, appends
> on the OTP
> and actually does the auth...
>
> Yes, the rest is correct.
>
> http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture
> from on "the Kerberos thing"
>
>
>
>
> On 1 April 2015 at 13:15, Andrew Holway
> <andrew.holway at gmail.com <mailto:andrew.holway at gmail.com>> wrote:
>
>
> It is simple to configure OpenVPN with
> authentication against FreeIPA in
>
> Fedora 21, all the heavy lifting is done by SSSD:
>
>
> I have to say that this sssd / pam method is working very
> very well.
>
> I do however need to get my head around radius. Something
> for a rainy
> sunday I think :).
>
>
>
>
>
> # grep plugin /etc/openvpn/server.conf
> plugin
> /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
> "openvpn
> login USERNAME password PASSWORD"
>
> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root
> root 11 Apr 1 10:55
> /etc/pam.d/openvpn -> system-auth
>
> # LANG=C ipa user-show vpnuser
> User login: vpnuser
> First name: VPN
> Last name: TestUser
> Home directory: /home/vpnuser
> Login shell: /bin/sh
> Email address: vpnuser at example.com
> <mailto:vpnuser at example.com>
> UID: 1792600005
> GID: 1792600005
> Account disabled: False
> User authentication types: otp
> Password: True
> Member of groups: ipausers
> Kerberos keys available: True
>
> Apr 01 11:24:50 ipa.example.com
> <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
> BACKGROUND:
> received command code: 0
> Apr 01 11:24:50 ipa.example.com
> <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
> BACKGROUND:
> USER: vpnuser
> Apr 01 11:24:50 ipa.example.com
> <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
> BACKGROUND:
> my_conv[0] query='login:' style=2
> Apr 01 11:24:50 ipa.example.com
> <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
> BACKGROUND:
> name match found, query/match-string ['login:',
> 'login'] = 'USERNAME'
> Apr 01 11:24:50 ipa.example.com
> <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
> BACKGROUND:
> my_conv[0] query='Password: ' style=1
> Apr 01 11:24:50 ipa.example.com
> <http://ipa.example.com> openvpn[29723]: AUTH-PAM:
> BACKGROUND:
> name match found, query/match-string ['Password: ',
> 'password'] = 'PASSWORD'
> Apr 01 11:24:50 ipa.example.com
> <http://ipa.example.com> openvpn[29724]:
> pam_unix(openvpn:auth):
> authentication failure; logname= uid=0 euid=0 tty=
> ruser= rhost=
> user=vpnuser
> Apr 01 11:24:53 ipa.example.com
> <http://ipa.example.com> openvpn[29724]:
> pam_sss(openvpn:auth):
> authentication success; logname= uid=0 euid=0 tty=
> ruser= rhost=
> user=vpnuser
> Apr 01 11:24:55 ipa.example.com
> <http://ipa.example.com> openvpn[29732]:
> MY-IP_ADDRESS:50232
> PLUGIN_CALL: POST
> /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
> <http://openvpn-plugin-auth-pam.so/>
> PLUGIN_AUTH_USER_PASS_VERIFY status=0
> Apr 01 11:24:55 ipa.example.com
> <http://ipa.example.com> openvpn[29732]:
> MY-IP-ADDRESS:50232 TLS:
> Username/Password authentication succeeded for
> username 'vpnuser'
>
>
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing
> list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
>
> --
> / Alexander Bokovoy
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150401/ad7cd2f2/attachment.htm>
More information about the Freeipa-users
mailing list