Hello all! In the process of changing to a FreeIPA based authentication system for a part of our network. FreeIPA is set up, working beautifully for most things already. Right now, we're trying to convert our old jump hosts from C6+OpenLDAP+Vasco OTP devices to a new C7+FreeIPA+Yubikey setup. The way this setup currently works is that the user creates a VPN connection to the jump host (using OpenVPN and static VPN keys), logs into the jump via SSH over the VPN tunnel with the Vasco OTP password, then can move from there to other machines on the network with only password.
As part of the transition to the new setup, I wanted to change to having OpenVPN authenticate against FreeIPA using the openvpn pam plugin. This was working fine when using just passwords, OpenVPN prompted for the Username and Password and connected, so the basic idea seems to work. But as soon as I enabled the first user with the Yubikey 2FA, the OpenVPN server will no longer authenticate him when using Password+Yubikey value. However, that user can authenticate to the FreeIPA web interface successfully with the Yubikey, as well as SSH to the machine running Openvpn (tested by using the old setup and jumping to the new hosts). As I understand it, using the OpenVPN PAM module should allow it to auth just like SSH does, so I'm puzzled why this is failing as it does. I created the OpenVPN PAM configuration file by copying /etc/pam.d/login to /etc/pam.d/openvpn, as well as adding the new openvpn service to FreeIPA and granting the user access to it (of course, as the user is allowed to connect when OTP is not enabled). Has anyone done a similar setup before, and have any ideas where I went wrong? I'd like to have this working for added security on our VPN connections. Thanks Jeremy Utley
_______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org