Yeah, I found some of this info upon some additional google searching, it's
unfortunate.  Is there any way to support simply appending the OTP onto the
password - I know it used to work this way for SSH in previous C7 versions
- can straight LDAP binds validate the OTP, or am I stuck with trying to
figure out how to make Radius work if I want this.  I'm pretty new to using
2FA in FreeIPA, so I'm not sure what is available.


On Wed, Oct 18, 2017 at 3:21 PM, Alexander Bokovoy <>

> On Wed, 18 Oct 2017, Jeremy Utley via FreeIPA-users wrote:
>> Hello all!
>> In the process of changing to a FreeIPA based authentication system for a
>> part of our network.  FreeIPA is set up, working beautifully for most
>> things already.  Right now, we're trying to convert our old jump hosts
>> from
>> C6+OpenLDAP+Vasco OTP devices to a new C7+FreeIPA+Yubikey setup.  The way
>> this setup currently works is that the user creates a VPN connection to
>> the
>> jump host (using OpenVPN and static VPN keys), logs into the jump via SSH
>> over the VPN tunnel with the Vasco OTP password, then can move from there
>> to other machines on the network with only password.
>> As part of the transition to the new setup, I wanted to change to having
>> OpenVPN authenticate against FreeIPA using the openvpn pam plugin.  This
>> was working fine when using just passwords, OpenVPN prompted for the
>> Username and Password and connected, so the basic idea seems to work.  But
>> as soon as I enabled the first user with the Yubikey 2FA, the OpenVPN
>> server will no longer authenticate him when using Password+Yubikey value.
>> However, that user can authenticate to the FreeIPA web interface
>> successfully with the Yubikey, as well as SSH to the machine running
>> Openvpn (tested by using the old setup and jumping to the new hosts).
>> As I understand it, using the OpenVPN PAM module should allow it to auth
>> just like SSH does, so I'm puzzled why this is failing as it does.  I
>> created the OpenVPN PAM configuration file by copying /etc/pam.d/login to
>> /etc/pam.d/openvpn, as well as adding the new openvpn service to FreeIPA
>> and granting the user access to it (of course, as the user is allowed to
>> connect when OTP is not enabled).
>> Has anyone done a similar setup before, and have any ideas where I went
>> wrong?  I'd like to have this working for added security on our VPN
>> connections.
> OpenVPN's pam authentication plugin does not properly implement support
> for multiple prompts which pam_sss produces in case of 2FA. It only
> supports single password request. See code in
> auth-pam/auth-pam.c#L509
> SSSD has support for for such behavior in sshd but the service name is
> literally hard-coded.
> There are tickets to track the latter part in SSSD:
> and
> Patches are welcome.
> As to openvpn itself, there is a little problem that afaik openvpn
> doesn't have a mechanism to negotiate multiple prompts with its client.
> --
> / Alexander Bokovoy
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to