Re: [Openvpn-users] Google OTP With auth-user-pass-verify (2FA)

Fri, 24 Apr 2020 04:12:44 -0700 

On 21/04/2020 20:34, Selva Nair wrote:
> Hi,
> 
> On Tue, Apr 21, 2020 at 12:44 PM Vertigo Altair <vertigo.alt...@gmail.com
> <mailto:vertigo.alt...@gmail.com>> wrote:
> 
>     Hi OpenVPN People,
>     I have a OpenVPN server, in this server, I'm authenticating users with my
>     external program (via --auth-user-pass-verify option). There is no problem
>     in this situation.
>     I want to add Two Factor Auth. with google-authenticator. 
>     I guess the process be like;
>     A client enters these creds;
>     username
>     password + [OTP]
>     Firstly, my external program checks if username password combination is
>     true and after google-authenticator checks if one-time-password is true.
>     How can I achieve this? I tried some cases with Google-Authenticator but I
>     could only authenticate with adding user to system.)
> 
> 
> I prefer to prompt for password and OTP separately using static-challenge
> instead of using some custom way of combining the two. This is how that would
> work.
> 
> In client configs add
> --auth-user-pass
> --static-challenge "Enter the authentication code (OTP) :  " 1
> 
> Change the static challenge prompt to suit your needs. Then the client will
> prompt the user for username, password and OTP in that order. If using a GUI
> like the OpenVPN-Windows-GUI this will happen through a dialog, else on the
> command line.
> 
> On server, have a pam config file, say, /etc/pam/ovpn with appropriate stacked
> auth entries -- as you would do for using google-authenticator for local
> logins. Assuming your pam set up will prompt for login:, password: and pin:,
> on the server config file you will need
> 
> plugin </path/to/openvpn-auth-pam-plugin.so> "ovpn login: USERNAME password:
> PASSWORD pin: OTP"
> 

For PAM, that will be more tricky than you would expect.

FreeIPA supports enabling OTP on only some accounts (or the reverse, disabling
it on specific accounts).  But it does the split between password ("First
Factor:") and the OTP ("Second Factor:") where the second factor can even be
set to be optional.  An example:

   $ su - user
   Passord:

   $ su - otpuser
   First Factor:
   Second Factor:

   $ su - otpoptional
   First Factor:
   Second Factor (optional):

So in this case, it would be needed to use the dynamic challenge-response
protocol, where it gets a bit more complicated for the auth-pam module.
Should we do it?  We probably should.

IIRC, the PAM module as it is today should support getting the OTP token as an
extension to the password.  If it is optional, it would pass on just a correct
password or a correct password with a correct OTP added at the end - as you
would expect.


-- 
kind regards,

David Sommerseth
OpenVPN Inc

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to