Hi,
sometimes it’s not easy – at first sight – do accomplish it. I’ve written a bit
advanced script based on Selva’s expamle. The solition used the management
interface for authentication and can handle static and dynamic OTPs as well.
We needed both static and dynamic OTP, because we used SecurID RSA as OTP, and
if the user inputs wrong token for 3 times, than the RSA blocks and requests
for the next token… (and this is done via dynamic challenge-response).
If interested, I can send the script over ( PAM is used for user auth against
an MS AD, and Radius is used for SecurID, since that handle’s
challenge-response auths, so we can wait for the user’s answer to dynamic
questions without blocking the whole auth flow).
So, if you want to do a bit more complex stuff, than the management interface
will be your friend (a perl/python/php/whatever daemon will be needed to
connect to the mgmt interface and handle the requests from the openvpn server).
For simple tasks a static-challenge + PAM auth can be more than enough.
Cheers,
Tom
From: Selva Nair [mailto:selva.n...@gmail.com]
Sent: Wednesday, April 21, 2021 6:41 PM
To: Joe Patterson <j.m.patter...@gmail.com>
Cc: Openvpn Users <openvpn-users@lists.sourceforge.net>
Subject: Re: [Openvpn-users] How to send 2nd factor to server ?
Hi
On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson <j.m.patter...@gmail.com
<http://gmail.com> > wrote:
>
> What you're looking for is the openvpn challenge/response protocol,
> which can be used when authentication is done via the management
> interface.
>
> https://openvpn.net/community-resources/management-interface/
> describes it a bit.
>
> I know that the MFA portion of the management interface system I wrote
> (https://github.com/j-m-patterson/ovpnherder) supports passing TOTP
> tokens via static challenge (which is where you put the
> "static-challenge" directive in the client config) as well as
> concatenating them with the password.
>
> Unfortunately, as far as I can tell, static and dynamic
> challenge-response isn't available if you're using a plugin or script
> for authentication. So if you're ready to take the plunge into using
> the management interface, you can do it. Otherwise, you're stuck with
> concatenating the OTP token to the password.
Static challenge can be used with plugins and scripts on the server --
management-auth not required. Here is a pared down example of what I
use:
Add to client config
static-challenge "OTP " 1
This causes the openvpn client (or its UI/GUI) to prompt separately for
username, password and OTP . The prompt text for the latter is taken
from the first argument to static-challenge. The second arg (1
above) controls echo-ing of the pin. See the man page of openvpn for
details. This prompt is also supported by OpenVPN-GUI on windows and,
I think, by tunnelblick, viscosity and probably others.
On the server, details vary depending on the need and verification
mechanism used. I use PAM for which one adds to the server config:
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login:
USERNAME Password: PASSWORD Verification OTP"
(See README.auth-pam distributed with OpenVPN for how to format the
above line to match your pam setup).
And have a pam config /etc/pam.d/openvpn with, say,
@include common-auth
account required pam_access.so
@include common-account
@include common-password
@include common-session
where common-auth has
auth required pam_google_authenticator.so
among other modules. There are so many ways of setting up PAM
depending on how the user is authenticated (unix user db, ldap, Active
Directory, ...), what kind of OTP is in use etc. The above is only
meant to describe the essentials.
Selva
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
