Hi,
pam is not that bad :) We use it with LDAP (over TLS) on many machines,
however, to get TLS to work properly you either have to disable cert
verification or install the proper CA on every node.
I use the pam plugin with radius backend now, it was working out-of-the-box.
Anyway, if you want to use PAM as an auth backend, I suggest you set it
up/try it with another authenticator, like SSH. Debugging radius is easy,
you add 'debug' in the corresponting pam module line and if you're using
freeradius, simply run it from command line with '-X' and you'll see what's
going on.
About tls-auth: I suggest you use tls-crypt instead of tls-auth, it's a bit
more advanced.
In server.conf:
tls-crypt tls-crypt.key
In client.conf:
<tls-crypt>
[[[ THE CONTENTS OF THE KEY OF tls-crypt.key - USING INLINE IS GOOD ]]]
</tls-crypt>
Cheers,
Tom
-----Original Message-----
From: The Doctor via Openvpn-users
[mailto:openvpn-users@lists.sourceforge.net]
Sent: Saturday, April 4, 2020 2:55 PM
To: Gert Doering <g...@greenie.muc.de>
Cc: openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] First time set up using openvpn
On Sat, Apr 04, 2020 at 09:24:24AM +0200, Gert Doering wrote:
> Hi,
>
> On Fri, Apr 03, 2020 at 05:30:23PM -0600, The Doctor via Openvpn-users
wrote:
> > tls-auth /usr/local/etc/openvpn/server/ta.key 0 # This file is
> > secret
>
> If you have this on the server...
>
> > ;tls-auth /usr/local/etc/openvpn/server/ta.key 1
>
> ... you MUST have it on the client as well.
>
Step 1.
> > verb 9
>
> this is way too high for normal debugging, use "verb 4" :-)
>
> As soon as you have the TLS-Auth part sorted out - there is no
> authentication backend configured on the server, so it won't do LDAP
> or radius. As for "how to do this", there's many possible ways
> - you can use a plugin (plugin_auth_pam is a good start, and then
> pam_radius or pam_ldap), or a script (--auth-user-pass-verify, see the
> man page), ...
>
pam has always been problematic even on SASl, hence why I avoid it.
> gert
> --
> "If was one thing all people took for granted, was conviction that if
> you feed honest figures into a computer, honest figures come out.
> Never doubted it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh
> Mistress
>
> Gert Doering - Munich, Germany
g...@greenie.muc.de
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici
doctor@@nl2k.ab.ca Yahweh, Queen & country!Never Satan President
Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b Look at Psalms 14 and 53 on
Atheism Those who cannot win on facts rely upon slander. -unknown
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
