Hi, On Tue, Jan 23, 2018 at 3:54 PM, Martin T <m4rtn...@gmail.com> wrote: > On Tue, Jan 23, 2018 at 7:30 PM, Selva Nair <selva.n...@gmail.com> wrote: >> Hi, >> >> On Tue, Jan 23, 2018 at 11:40 AM, Martin T <m4rtn...@gmail.com> wrote: >>> Hi! >>> >>> I have configured OpenVPN server to use openvpn-plugin-auth-pam.so >>> plugin. Configuration statement for this is following: >>> >>> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so >>> /etc/pam.d/openvpn >>> >>> In /etc/pam.d/openvpn configuration-file, I use pam_access.so plugin. >>> It requires client IPv4/IPv6 address. However, according to >>> pam_access.so plugin debug log, it does not receive it: >> >> IIRC, auth_pam plugin does not set PAM_RHOST, so hostname won't be available. >> >>> >>> pam_access(openvpn:auth): cannot determine tty or remote hostname, >>> using service openvpn >>> >>> Is it possible to fix this with configuration change? >> >> I do not think so -- unless you change the origins in auth.conf to >> ALL, disabling the remote host check which is not what you want. >> >> Selva > > Selva, > > thanks for reply! My end goal was to use different authentication > methods for OpenVPN clients from different networks. If > openvpn-plugin-auth-pam.so would set PAM_RHOST, then I could do > something like this: > > auth requisite pam_nologin.so > # If OpenVPN client is from certain network, then skip the YubiKey check. > auth [success=1 default=ignore] pam_access.so > accessfile=/etc/security/access-local.conf > auth [success=done new_authtok_reqd=ok default=die] > pam_yubico.so id=31121 authfile=/etc/yubikey > auth include common-auth > > Maybe there is some other way to achieve this?
Option 1: patch the pam plugin to set PAM_RHOST Option 2: Write a script for auth-user-pass-verify and do the PAM authentication from the script. In openvpn sources there is a sample perl script that could be used as a starting point (never used it, so no idea whether it works). OpenVPN exports the client IP to environment and could be read from the script. Note that the script (and the pam module for that matter) blocks the server process, so you should avoid spending too much time inside the auth script -- not sure how long it would take for yubikey auth to complete. Selva ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
