I stand corrected! That's very useful to know. Does the "OTP" keywork in the plugin correspond to the OTP argument in the static challenge?
Like if my static challenge was "static-challenge 'enter the number from your authenticator' 1", I'd use auth_pam.so "openvpn login: USERNAME Password: PASSWORD Verification 'enter the number from your authenticator'"? Thanks, -Joe On Wed, Apr 21, 2021 at 12:40 PM Selva Nair <selva.n...@gmail.com> wrote: > > Hi > > On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson <j.m.patter...@gmail.com> > wrote: > > > > What you're looking for is the openvpn challenge/response protocol, > > which can be used when authentication is done via the management > > interface. > > > > https://openvpn.net/community-resources/management-interface/ > > describes it a bit. > > > > I know that the MFA portion of the management interface system I wrote > > (https://github.com/j-m-patterson/ovpnherder) supports passing TOTP > > tokens via static challenge (which is where you put the > > "static-challenge" directive in the client config) as well as > > concatenating them with the password. > > > > Unfortunately, as far as I can tell, static and dynamic > > challenge-response isn't available if you're using a plugin or script > > for authentication. So if you're ready to take the plunge into using > > the management interface, you can do it. Otherwise, you're stuck with > > concatenating the OTP token to the password. > > Static challenge can be used with plugins and scripts on the server -- > management-auth not required. Here is a pared down example of what I > use: > > Add to client config > > static-challenge "OTP " 1 > > This causes the openvpn client (or its UI/GUI) to prompt separately for > username, password and OTP . The prompt text for the latter is taken > from the first argument to static-challenge. The second arg (1 > above) controls echo-ing of the pin. See the man page of openvpn for > details. This prompt is also supported by OpenVPN-GUI on windows and, > I think, by tunnelblick, viscosity and probably others. > > On the server, details vary depending on the need and verification > mechanism used. I use PAM for which one adds to the server config: > > plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login: > USERNAME Password: PASSWORD Verification OTP" > > (See README.auth-pam distributed with OpenVPN for how to format the > above line to match your pam setup). > > And have a pam config /etc/pam.d/openvpn with, say, > > @include common-auth > account required pam_access.so > @include common-account > @include common-password > @include common-session > > where common-auth has > > auth required pam_google_authenticator.so > > among other modules. There are so many ways of setting up PAM > depending on how the user is authenticated (unix user db, ldap, Active > Directory, ...), what kind of OTP is in use etc. The above is only > meant to describe the essentials. > > Selva _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
