On Tue, 31 Mar 2015, Dmitri Pal wrote:
On 03/31/2015 05:30 PM, Andrew Holway wrote:
Hello FreeIPA people,

I must say that FreeIPA v4 looks very pretty and I am looking forward to trying out the new features.

I'm wondering what application and tools can be used to authenticate with the OTP in freeipa. For instance, if we wanted to set up a VPN that uses it how might we go about that? Is there a common library that I should look out for?

With VPN you usually do the following:
a) Pick a VPN of your choice based on features and needs you have
b) Make sure the VPN server supports different authentication methods. You need at least RADIUS which is the most popular option and I would be surprise to find VPN server that does not talk RADIUS to actually do the authentication. c) Setup freeRADIUS server on Fedora 21/RHEL 7.1/Centos 7.1 (when it happens) box , configure it to do kinit authentication or pam authentication via SSSD against IPA, see freeRADIUS manuals for more details
d) Connect VPN server to the RADIUS server
e) Provision tokens (or hook IPA to existing OTP solution using another RADIUS server)
f) Profit

If you have an application that can use RADIUS in such setup you can use FreeIPA 2FA. Also see http://www.freeipa.org/page/Web_App_Authentication how to enable any web application to take advantage of the IPA authentication including 2FA.
It is simple to configure OpenVPN with authentication against FreeIPA in
Fedora 21, all the heavy lifting is done by SSSD:

# grep plugin /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME 
password PASSWORD"

# LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr 1 10:55 /etc/pam.d/openvpn -> system-auth

# LANG=C ipa user-show vpnuser
 User login: vpnuser
 First name: VPN
 Last name: TestUser
 Home directory: /home/vpnuser
 Login shell: /bin/sh
 Email address: vpnu...@example.com
 UID: 1792600005
 GID: 1792600005
 Account disabled: False
 User authentication types: otp
 Password: True
 Member of groups: ipausers
 Kerberos keys available: True

Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: received 
command code: 0
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: USER: 
vpnuser
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: 
my_conv[0] query='login:' style=2
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name 
match found, query/match-string ['login:', 'login'] = 'USERNAME'
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: 
my_conv[0] query='Password: ' style=1
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name 
match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): 
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser
Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): 
authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 
PLUGIN_CALL: POST 
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY
 status=0
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: 
Username/Password authentication succeeded for username 'vpnuser'


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to