On Thu, Nov 08, 2018 at 06:51:22PM -0000, Eric Fredrickson via FreeIPA-users
wrote:
> Hello everyone,
>
> I'm having an issue with OTP when logging into a vpn server that is a client
> of FreeIPA. I can login with no issues when OTP is disabled.
>
> FreeIPA Setup:
> CentOS 7.5
> FreeIPA 4.5.4
>
> HBAC Service: openvpn
> HBAC Rule:
> [root@ipa ~]# ipa hbacrule-show openvpn_access
> Rule name: openvpn_access
> Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
> Enabled: TRUE
> Users: <users>
> Hosts: vpnhost.localdomain.local
> Services: openvpn
>
> User account:
> [root@ipa ~]# ipa user-show <omitted>
> User login: <omitted>
> First name: <omitted>
> Last name: <omitted>
> Home directory: /home/<omitted>
> Login shell: /bin/bash
> Principal name: <omitted>
> Principal alias: <omitted>
> Email address: <omitted>
> UID: 1909600003
> GID: 1909600003
> User authentication types: otp
> Certificate: <omitted>
> Account disabled: False
> Password: True
> Member of groups: vpn_users
> Member of HBAC rule: openvpn_access
> Indirect Member of HBAC rule: user_ipa_access
> Kerberos keys available: True
>
> OpenVPN server:
> /etc/pam.d/openvpn
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth required pam_faildelay.so delay=2000000
> auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >=
> 1000 quiet
> auth [default=1 ignore=ignore success=ok] pam_localuser.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 1000 quiet_success
> auth sufficient pam_sss.so forward_pass
> auth required pam_deny.so
>
> account required pam_unix.so
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 1000 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_pwquality.so try_first_pass local_users_only
> retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
> password sufficient pam_unix.so sha512 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_sss.so use_authtok
>
>
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> -session optional pam_systemd.so
> session optional pam_oddjob_mkhomedir.so umask=0077
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_sss.so
>
> server.conf
> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
Can you try
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so sshd
as a workaround? This will use /etc/pam.d/sshd but there shouldn't be
much difference. It looks like openvpn behaves a bit like sshd here an
adds the string with long term password and token value to every prompt.
Currently pam_sss only expects the 'sshd' PAM service to do so.
bye,
Sumit
>
>
> Any help would be greatly appreciated. Any other information that you may
> need, please feel free to ask. I've read multiple threads, some have gotten
> it to work without posting answers, some have not and has stated openvpn does
> not support multiple prompts.
>
> Eric
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
