Yeah, I found some of this info upon some additional google searching, it's
unfortunate. Is there any way to support simply appending the OTP onto the
password - I know it used to work this way for SSH in previous C7 versions
- can straight LDAP binds validate the OTP, or am I stuck with trying to
figure out how to make Radius work if I want this. I'm pretty new to using
2FA in FreeIPA, so I'm not sure what is available.
On Wed, Oct 18, 2017 at 3:21 PM, Alexander Bokovoy <aboko...@redhat.com>
> On Wed, 18 Oct 2017, Jeremy Utley via FreeIPA-users wrote:
>> Hello all!
>> In the process of changing to a FreeIPA based authentication system for a
>> part of our network. FreeIPA is set up, working beautifully for most
>> things already. Right now, we're trying to convert our old jump hosts
>> C6+OpenLDAP+Vasco OTP devices to a new C7+FreeIPA+Yubikey setup. The way
>> this setup currently works is that the user creates a VPN connection to
>> jump host (using OpenVPN and static VPN keys), logs into the jump via SSH
>> over the VPN tunnel with the Vasco OTP password, then can move from there
>> to other machines on the network with only password.
>> As part of the transition to the new setup, I wanted to change to having
>> OpenVPN authenticate against FreeIPA using the openvpn pam plugin. This
>> was working fine when using just passwords, OpenVPN prompted for the
>> Username and Password and connected, so the basic idea seems to work. But
>> as soon as I enabled the first user with the Yubikey 2FA, the OpenVPN
>> server will no longer authenticate him when using Password+Yubikey value.
>> However, that user can authenticate to the FreeIPA web interface
>> successfully with the Yubikey, as well as SSH to the machine running
>> Openvpn (tested by using the old setup and jumping to the new hosts).
>> As I understand it, using the OpenVPN PAM module should allow it to auth
>> just like SSH does, so I'm puzzled why this is failing as it does. I
>> created the OpenVPN PAM configuration file by copying /etc/pam.d/login to
>> /etc/pam.d/openvpn, as well as adding the new openvpn service to FreeIPA
>> and granting the user access to it (of course, as the user is allowed to
>> connect when OTP is not enabled).
>> Has anyone done a similar setup before, and have any ideas where I went
>> wrong? I'd like to have this working for added security on our VPN
> OpenVPN's pam authentication plugin does not properly implement support
> for multiple prompts which pam_sss produces in case of 2FA. It only
> supports single password request. See code in
> SSSD has support for for such behavior in sshd but the service name is
> literally hard-coded.
> There are tickets to track the latter part in SSSD:
> https://pagure.io/SSSD/sssd/issue/3438 and
> https://pagure.io/SSSD/sssd/issue/3264. Patches are welcome.
> As to openvpn itself, there is a little problem that afaik openvpn
> doesn't have a mechanism to negotiate multiple prompts with its client.
> / Alexander Bokovoy
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org