Yeah, I found some of this info upon some additional google searching, it's
unfortunate.  Is there any way to support simply appending the OTP onto the
password - I know it used to work this way for SSH in previous C7 versions
- can straight LDAP binds validate the OTP, or am I stuck with trying to
figure out how to make Radius work if I want this.  I'm pretty new to using
2FA in FreeIPA, so I'm not sure what is available.

Jeremy

On Wed, Oct 18, 2017 at 3:21 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

> On Wed, 18 Oct 2017, Jeremy Utley via FreeIPA-users wrote:
>
>> Hello all!
>>
>> In the process of changing to a FreeIPA based authentication system for a
>> part of our network.  FreeIPA is set up, working beautifully for most
>> things already.  Right now, we're trying to convert our old jump hosts
>> from
>> C6+OpenLDAP+Vasco OTP devices to a new C7+FreeIPA+Yubikey setup.  The way
>> this setup currently works is that the user creates a VPN connection to
>> the
>> jump host (using OpenVPN and static VPN keys), logs into the jump via SSH
>> over the VPN tunnel with the Vasco OTP password, then can move from there
>> to other machines on the network with only password.
>>
>> As part of the transition to the new setup, I wanted to change to having
>> OpenVPN authenticate against FreeIPA using the openvpn pam plugin.  This
>> was working fine when using just passwords, OpenVPN prompted for the
>> Username and Password and connected, so the basic idea seems to work.  But
>> as soon as I enabled the first user with the Yubikey 2FA, the OpenVPN
>> server will no longer authenticate him when using Password+Yubikey value.
>> However, that user can authenticate to the FreeIPA web interface
>> successfully with the Yubikey, as well as SSH to the machine running
>> Openvpn (tested by using the old setup and jumping to the new hosts).
>>
>> As I understand it, using the OpenVPN PAM module should allow it to auth
>> just like SSH does, so I'm puzzled why this is failing as it does.  I
>> created the OpenVPN PAM configuration file by copying /etc/pam.d/login to
>> /etc/pam.d/openvpn, as well as adding the new openvpn service to FreeIPA
>> and granting the user access to it (of course, as the user is allowed to
>> connect when OTP is not enabled).
>>
>> Has anyone done a similar setup before, and have any ideas where I went
>> wrong?  I'd like to have this working for added security on our VPN
>> connections.
>>
> OpenVPN's pam authentication plugin does not properly implement support
> for multiple prompts which pam_sss produces in case of 2FA. It only
> supports single password request. See code in
> https://github.com/OpenVPN/openvpn/blob/master/src/plugins/
> auth-pam/auth-pam.c#L509
>
> SSSD has support for for such behavior in sshd but the service name is
> literally hard-coded.
> https://pagure.io/SSSD/sssd/blob/master/f/src/sss_client/pam_sss.c#_1413
>
> There are tickets to track the latter part in SSSD:
> https://pagure.io/SSSD/sssd/issue/3438 and
> https://pagure.io/SSSD/sssd/issue/3264. Patches are welcome.
>
> As to openvpn itself, there is a little problem that afaik openvpn
> doesn't have a mechanism to negotiate multiple prompts with its client.
>
>
> --
> / Alexander Bokovoy
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to