On Wed, 18 Oct 2017, Jeremy Utley wrote:
Yeah, I found some of this info upon some additional google searching, it's
unfortunate.  Is there any way to support simply appending the OTP onto the
password - I know it used to work this way for SSH in previous C7 versions
- can straight LDAP binds validate the OTP, or am I stuck with trying to
figure out how to make Radius work if I want this.  I'm pretty new to using
2FA in FreeIPA, so I'm not sure what is available.
As I said, there are bugs opened for SSSD to support this. Patches are
welcome.


Jeremy

On Wed, Oct 18, 2017 at 3:21 PM, Alexander Bokovoy <aboko...@redhat.com>
wrote:

On Wed, 18 Oct 2017, Jeremy Utley via FreeIPA-users wrote:

Hello all!

In the process of changing to a FreeIPA based authentication system for a
part of our network.  FreeIPA is set up, working beautifully for most
things already.  Right now, we're trying to convert our old jump hosts
from
C6+OpenLDAP+Vasco OTP devices to a new C7+FreeIPA+Yubikey setup.  The way
this setup currently works is that the user creates a VPN connection to
the
jump host (using OpenVPN and static VPN keys), logs into the jump via SSH
over the VPN tunnel with the Vasco OTP password, then can move from there
to other machines on the network with only password.

As part of the transition to the new setup, I wanted to change to having
OpenVPN authenticate against FreeIPA using the openvpn pam plugin.  This
was working fine when using just passwords, OpenVPN prompted for the
Username and Password and connected, so the basic idea seems to work.  But
as soon as I enabled the first user with the Yubikey 2FA, the OpenVPN
server will no longer authenticate him when using Password+Yubikey value.
However, that user can authenticate to the FreeIPA web interface
successfully with the Yubikey, as well as SSH to the machine running
Openvpn (tested by using the old setup and jumping to the new hosts).

As I understand it, using the OpenVPN PAM module should allow it to auth
just like SSH does, so I'm puzzled why this is failing as it does.  I
created the OpenVPN PAM configuration file by copying /etc/pam.d/login to
/etc/pam.d/openvpn, as well as adding the new openvpn service to FreeIPA
and granting the user access to it (of course, as the user is allowed to
connect when OTP is not enabled).

Has anyone done a similar setup before, and have any ideas where I went
wrong?  I'd like to have this working for added security on our VPN
connections.

OpenVPN's pam authentication plugin does not properly implement support
for multiple prompts which pam_sss produces in case of 2FA. It only
supports single password request. See code in
https://github.com/OpenVPN/openvpn/blob/master/src/plugins/
auth-pam/auth-pam.c#L509

SSSD has support for for such behavior in sshd but the service name is
literally hard-coded.
https://pagure.io/SSSD/sssd/blob/master/f/src/sss_client/pam_sss.c#_1413

There are tickets to track the latter part in SSSD:
https://pagure.io/SSSD/sssd/issue/3438 and
https://pagure.io/SSSD/sssd/issue/3264. Patches are welcome.

As to openvpn itself, there is a little problem that afaik openvpn
doesn't have a mechanism to negotiate multiple prompts with its client.


--
/ Alexander Bokovoy


--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to