Hopefully clarify usage, and fix spelling errors.

Document new functionality WRT PAM_USER and implicit password
responses when a non-matching non-echoing PROMPT is made by a PAM
module.

Signed-off-by: Tim Small <t...@seoss.co.uk>
---
 src/plugins/auth-pam/README.auth-pam | 152 ++++++++++++++++++++++++++++++-----
 1 file changed, 133 insertions(+), 19 deletions(-)

diff --git a/src/plugins/auth-pam/README.auth-pam 
b/src/plugins/auth-pam/README.auth-pam
index e123690..5f55857 100644
--- a/src/plugins/auth-pam/README.auth-pam
+++ b/src/plugins/auth-pam/README.auth-pam
@@ -7,7 +7,7 @@ authentication via PAM, and essentially allows any 
authentication
 method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
 passwords) to be used with OpenVPN.  While PAM supports
 username/password authentication, this can be combined with X509
-certificates to provide two indepedent levels of authentication.
+certificates to provide two independent levels of authentication.

 This module uses a split privilege execution model which will
 function even if you drop openvpn daemon privileges using the user,
@@ -31,32 +31,133 @@ The required service-type parameter corresponds to
 the PAM service definition file usually found
 in /etc/pam.d.

+The plugin first uses PAM to authenticate the user, if this succeeds it
+then verifies that the users' account is valid via PAM as well.  Only
+if both of these steps succeeds does the plugin approve the OpenVPN
+authentication attempt.
+
+In PAM terminology, the openvpn-plugin-auth-pam.so acts as a PAM
+"application" - that is to say it is an OpenVPN plugin and it makes use
+of the PAM API to authenticate users.  openvpn-plugin-auth-pam.so is
+NOT a PAM module itself.
+
+Similarly it is also NOT possible to merely use the OpenVPN plugin
+syntax to directly specify the use of a particular PAM module in
+isolation...  It IS however possible to arrange for such use of a
+particular PAM module (if desired without changing the behaviour of
+other applications which make use of PAM) by the usual means i.e.
+creating a custom PAM service definition.
+
+
+DEFAULT BEHAVIOUR
+
+By default the plugin will supply the username to the PAM modules
+(by setting the 'user' field of the pam_start() function).  It
+will also attempt to answer 'questions' which individual PAM modules
+ask using the PAM 'conversation' mechanism.
+
+The content of the conversation "message" - see pam_conv(3) - is
+ignored, but each conversation call which has its style set to
+'PAM_PROMPT_ECHO_ON' (i.e. those where the user's response isn't
+intended to be hidden on the devices display etc.) are answered
+with the username.  Calls with the style set to 'PAM_PROMPT_ECHO_OFF'
+are (i.e. the user's response should be hidden) are answered with
+the password.
+
+
+CUSTOM BEHAVIOUR
+
 This plugin also supports the usage of a list of name/value
-pairs to answer PAM module queries.
+pairs to answer PAM module queries using the following syntax:
+
+  plugin openvpn-auth-pam.so "PAMSERVICE [PROMPT ANSWER]..."
+
+These PAM queries take the form of text prompts which individual
+PAM modules supply.
+
+OpenVPN currently lacks a mechanism to supply these prompts (or related
+error messages etc.) to the user, but instead the plugin can be
+configured to respond to them on the users' behalf.
+
+If a PAM module prompts for a reply and supplies a message which matches
+the text PROMPT, then the plugin will reply with ANSWER.
+
+The match is case insensitive and the match will succeed if the PAM
+module's message includes trailing characters e.g. The PROMPT 'Log' will
+match the PAM message 'login:'.
+
+As a special case, if a PROMPT value of 'PAM_USER' is given, then the
+corresponding ANSWER value will be supplied to the PAM service via
+the second argument of the pam_start() function.  When this is supplied
+to a PAM module, they do not need to request the user name of the user
+via the pam_conv(3) mechanism.  This is the recommended way of
+supplying the user name to a PAM service.
+
+If no match is found for a prompt message, but the message style is
+set to 'PAM_PROMPT_ECHO_OFF', then the plugin will supply the password
+given by the OpenVPN client.
+
+
+Example 1:

-For example:
+  plugin openvpn-auth-pam.so "login PAM_USER COMMONNAME"

-  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
+tells the plugin to (a) use the "login" PAM service and (b) supply
+the commonname (as supplied to the plugin by OpenVPN) to the PAM
+service as the user name.  Most PAM services will request a secret in
+order to authorise the user, and as there are no further explicit
+PROMPT values specified by the example plugin definition, then any
+such password style (non-echoing input) requests made by the PAM
+modules which make up the PAM service definition will be automatically
+answered using the password given which was supplied by the OpenVPN
+client.

-tells auth-pam to (a) use the "login" PAM module, (b) answer a
-"login" query with the username given by the OpenVPN client, and
-(c) answer a "password" query with the password given by the
-OpenVPN client.  This provides flexibility in dealing with the different
-types of query strings which different PAM modules might generate.
-For example, suppose you were using a PAM module called
-"test" which queried for "name" rather than "login":
+n.b. Typically this would be used to enforce a 1:1 mapping between
+users' common names as defined by their TLS client certificate, and
+their system login account.  The username supplied by the end-user will
+not be passed to PAM in this example, and will effectively be ignored
+in favour of this client certificate common name.
+
+
+Example 2:
+
+  plugin openvpn-auth-pam.so "openvpn login USERNAME password PASSWORD"
+
+tells the plugin to (a) use the "openvpn" PAM service, (b) answer any
+PAM "conversation" call which has a message which begins 'login' with
+the username given by the OpenVPN client, and (c) answer a PAM prompt
+which begins with the text 'password' with the password given by the
+OpenVPN client.  This provides some flexibility in dealing with the
+different types of query strings which different PAM modules might
+generate.
+
+n.b. An "openvpn" PAM service definition must exist on the system in
+order to use the above declaration successfully.
+
+
+Example 3:
+
+Suppose you were using a PAM service called "test".  One of the
+modules defined in this service prompts with the message "Name Please:"
+rather than "Login :" - you could use:

   plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"

-While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which 
substitute
-to client-supplied values, it is also possible to name literal values
-to use as PAM module query responses.  For example, suppose that the
-login module queried for a third parameter, "domain" which
-is to be answered with the constant value "mydomain.com":

-  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain 
mydomain.com"
+Example 4:
+
+While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which
+substitute to client-supplied values, it is also possible to name
+literal values to use as PAM module query responses.  For example,
+suppose that the login module prompted for a "domain" which should be
+answered with the constant value "mydomain.com":

-The following OpenVPN directives can also influence
+  plugin openvpn-auth-pam.so "test login USERNAME password PASSWORD domain 
mydomain.com"
+
+
+ENVIRONMENT
+
+The following OpenVPN configuration directives can also influence
 the operation of this plugin:

   client-cert-not-required
@@ -64,11 +165,24 @@ the operation of this plugin:

 Run OpenVPN with --verb 7 or higher to get debugging output from
 this plugin, including the list of queries presented by the
-underlying PAM module.  This is a useful debugging tool to figure
+underlying PAM modules.  This is a useful debugging tool to figure
 out which queries a given PAM module is making, so that you can
 craft the appropriate plugin directive to answer it.

+
 CAVEATS

 This module will only work on *nix systems which support PAM,
 not Windows.
+
+
+DEBUGGING
+
+Debugging information from PAM services may be logged using different
+syslog facilities than OpenVPN, and so may end up in different
+locations (e.g. /var/log/auth.log etc. depending on system
+configuration).
+
+The administrator is advised to consult the many PAM tutorials and
+'howto' documents in order to learn about the debugging on PAM, and
+the creation and testing of custom PAM service definitions etc.
-- 
2.1.4


Reply via email to