Re: [Openvpn-users] How to send 2nd factor to server ?
Hi On Wed, Apr 28, 2021 at 11:52 AM Gert Doering wrote: > > Hi, > > On Wed, Apr 21, 2021 at 07:29:52PM +0200, Dajka Tamás wrote: > > If interested, I can send the script over ( PAM is used for user > > auth against an MS AD, and Radius is used for SecurID, since that > > handle???s challenge-response auths, so we can wait for the user???s > > answer to dynamic questions without blocking the whole auth flow). > > I'm certainly interested. > > > So, if you want to do a bit more complex stuff, than the management > > interface will be your friend (a perl/python/php/whatever daemon > > will be needed to connect to the mgmt interface and handle the > > requests from the openvpn server). > > > > For simple tasks a static-challenge + PAM auth can be more than enough. > > I've come to like the auth-PAM plugin (after I fought it for a while, > and won :-) ). It does async nowadays, and if it does what you need, > it's easier to use than setting up "things talking to management". > > I haven't looked into dynamic challenges yet, but it seems I should... > Selva: am I reading the source correctly, a plugin can not create a dynamic > challenge? No it doesn't. There were two issues blocking this: (i) PAM_CONV_AGAIN needed to restart the PAM stack at a point is not supported by most PAM modules of interest (ii) a customized AUTH_FAILED message could be sent only from the management interface (during reauth --- initial auth is fine). For (i) probably we can avoid PAM_CONV_AGAIN and do this using deferred auth. For (ii) not sure whether this has changed with Arne's recent patches -- also there was a patch from viscosity folks for custom AUTH_FIALED from plugins. Maybe it's time to look into this again. Selva Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
Hi Gert, sure, I've uploaded to github: https://github.com/V1pr/openvpn-manager-auth There are still some hungarian comments, I did not have the time to get rid of them ;) Let me know, if you've any questions. Cheers, Tom > -Original Message- > From: Gert Doering [mailto:g...@greenie.muc.de] > Sent: Wednesday, April 28, 2021 5:52 PM > To: Dajka Tamás > Cc: 'Selva Nair' ; 'Joe Patterson' > ; 'Openvpn Users' us...@lists.sourceforge.net> > Subject: Re: [Openvpn-users] How to send 2nd factor to server ? > > Hi, > > On Wed, Apr 21, 2021 at 07:29:52PM +0200, Dajka Tamás wrote: > > If interested, I can send the script over ( PAM is used for user auth > > against an MS AD, and Radius is used for SecurID, since that > > handle???s challenge-response auths, so we can wait for the user???s > > answer to dynamic questions without blocking the whole auth flow). > > I'm certainly interested. > > > So, if you want to do a bit more complex stuff, than the management > > interface will be your friend (a perl/python/php/whatever daemon will > > be needed to connect to the mgmt interface and handle the requests > > from the openvpn server). > > > > For simple tasks a static-challenge + PAM auth can be more than enough. > > I've come to like the auth-PAM plugin (after I fought it for a while, and won :-) ). > It does async nowadays, and if it does what you need, it's easier to use than > setting up "things talking to management". > > I haven't looked into dynamic challenges yet, but it seems I should... > Selva: am I reading the source correctly, a plugin can not create a dynamic > challenge? > > gert > > > -- > "If was one thing all people took for granted, was conviction that if you feed > honest figures into a computer, honest figures come out. Never doubted it > myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
Hi, On Wed, Apr 21, 2021 at 07:29:52PM +0200, Dajka Tamás wrote: > If interested, I can send the script over ( PAM is used for user > auth against an MS AD, and Radius is used for SecurID, since that > handle???s challenge-response auths, so we can wait for the user???s > answer to dynamic questions without blocking the whole auth flow). I'm certainly interested. > So, if you want to do a bit more complex stuff, than the management > interface will be your friend (a perl/python/php/whatever daemon > will be needed to connect to the mgmt interface and handle the > requests from the openvpn server). > > For simple tasks a static-challenge + PAM auth can be more than enough. I've come to like the auth-PAM plugin (after I fought it for a while, and won :-) ). It does async nowadays, and if it does what you need, it's easier to use than setting up "things talking to management". I haven't looked into dynamic challenges yet, but it seems I should... Selva: am I reading the source correctly, a plugin can not create a dynamic challenge? gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
On Wed, Apr 21, 2021 at 1:55 PM Selva Nair wrote: > > Hi, > > On Wed, Apr 21, 2021 at 1:35 PM Joe Patterson wrote: >> >> I stand corrected! That's very useful to know. >> >> Does the "OTP" keywork in the plugin correspond to the OTP argument in >> the static challenge? > > > No, the argument to static-challenge is local to the client and only used for > prompting the user. It's not passed to the server. You can write it > differently in each client config if you wish. > I thought that seemed like it would be weird. :) >> >> Like if my static challenge was "static-challenge 'enter the number >> from your authenticator' 1", I'd use auth_pam.so "openvpn login: >> USERNAME Password: PASSWORD Verification 'enter the number from your >> authenticator'"? > > > The capitalized words, USERNAME, PASSWORD and OTP are hard coded and stand > for the values for username, password and otp received from the client. These > get used against the corresponding prompts, "login:", "Password:" and > "Verification" in my example. So those latter words are specific to your set > up. Only the beginning of the prompt is matched, so "Verification" would also > match, say, a pam prompt of "Verification PIN:". > Fantastic. > It's also possible to expose the common name to PAM -- use COMMONNAME as the > place-holder. See README.auth-pam. I know. I wrote that code. :) Thanks! -Joe ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
Hi, On Wed, Apr 21, 2021 at 1:35 PM Joe Patterson wrote: > I stand corrected! That's very useful to know. > > Does the "OTP" keywork in the plugin correspond to the OTP argument in > the static challenge? > No, the argument to static-challenge is local to the client and only used for prompting the user. It's not passed to the server. You can write it differently in each client config if you wish. > Like if my static challenge was "static-challenge 'enter the number > from your authenticator' 1", I'd use auth_pam.so "openvpn login: > USERNAME Password: PASSWORD Verification 'enter the number from your > authenticator'"? > The capitalized words, USERNAME, PASSWORD and OTP are hard coded and stand for the values for username, password and otp received from the client. These get used against the corresponding prompts, "login:", "Password:" and "Verification" in my example. So those latter words are specific to your set up. Only the beginning of the prompt is matched, so "Verification" would also match, say, a pam prompt of "Verification PIN:". It's also possible to expose the common name to PAM -- use COMMONNAME as the place-holder. See README.auth-pam. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
I stand corrected! That's very useful to know. Does the "OTP" keywork in the plugin correspond to the OTP argument in the static challenge? Like if my static challenge was "static-challenge 'enter the number from your authenticator' 1", I'd use auth_pam.so "openvpn login: USERNAME Password: PASSWORD Verification 'enter the number from your authenticator'"? Thanks, -Joe On Wed, Apr 21, 2021 at 12:40 PM Selva Nair wrote: > > Hi > > On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson > wrote: > > > > What you're looking for is the openvpn challenge/response protocol, > > which can be used when authentication is done via the management > > interface. > > > > https://openvpn.net/community-resources/management-interface/ > > describes it a bit. > > > > I know that the MFA portion of the management interface system I wrote > > (https://github.com/j-m-patterson/ovpnherder) supports passing TOTP > > tokens via static challenge (which is where you put the > > "static-challenge" directive in the client config) as well as > > concatenating them with the password. > > > > Unfortunately, as far as I can tell, static and dynamic > > challenge-response isn't available if you're using a plugin or script > > for authentication. So if you're ready to take the plunge into using > > the management interface, you can do it. Otherwise, you're stuck with > > concatenating the OTP token to the password. > > Static challenge can be used with plugins and scripts on the server -- > management-auth not required. Here is a pared down example of what I > use: > > Add to client config > > static-challenge "OTP " 1 > > This causes the openvpn client (or its UI/GUI) to prompt separately for > username, password and OTP . The prompt text for the latter is taken > from the first argument to static-challenge. The second arg (1 > above) controls echo-ing of the pin. See the man page of openvpn for > details. This prompt is also supported by OpenVPN-GUI on windows and, > I think, by tunnelblick, viscosity and probably others. > > On the server, details vary depending on the need and verification > mechanism used. I use PAM for which one adds to the server config: > > plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login: > USERNAME Password: PASSWORD Verification OTP" > > (See README.auth-pam distributed with OpenVPN for how to format the > above line to match your pam setup). > > And have a pam config /etc/pam.d/openvpn with, say, > > @include common-auth > account required pam_access.so > @include common-account > @include common-password > @include common-session > > where common-auth has > > auth required pam_google_authenticator.so > > among other modules. There are so many ways of setting up PAM > depending on how the user is authenticated (unix user db, ldap, Active > Directory, ...), what kind of OTP is in use etc. The above is only > meant to describe the essentials. > > Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
Hi, sometimes it’s not easy – at first sight – do accomplish it. I’ve written a bit advanced script based on Selva’s expamle. The solition used the management interface for authentication and can handle static and dynamic OTPs as well. We needed both static and dynamic OTP, because we used SecurID RSA as OTP, and if the user inputs wrong token for 3 times, than the RSA blocks and requests for the next token… (and this is done via dynamic challenge-response). If interested, I can send the script over ( PAM is used for user auth against an MS AD, and Radius is used for SecurID, since that handle’s challenge-response auths, so we can wait for the user’s answer to dynamic questions without blocking the whole auth flow). So, if you want to do a bit more complex stuff, than the management interface will be your friend (a perl/python/php/whatever daemon will be needed to connect to the mgmt interface and handle the requests from the openvpn server). For simple tasks a static-challenge + PAM auth can be more than enough. Cheers, Tom From: Selva Nair [mailto:selva.n...@gmail.com] Sent: Wednesday, April 21, 2021 6:41 PM To: Joe Patterson Cc: Openvpn Users Subject: Re: [Openvpn-users] How to send 2nd factor to server ? Hi On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson http://gmail.com> > wrote: > > What you're looking for is the openvpn challenge/response protocol, > which can be used when authentication is done via the management > interface. > > https://openvpn.net/community-resources/management-interface/ > describes it a bit. > > I know that the MFA portion of the management interface system I wrote > (https://github.com/j-m-patterson/ovpnherder) supports passing TOTP > tokens via static challenge (which is where you put the > "static-challenge" directive in the client config) as well as > concatenating them with the password. > > Unfortunately, as far as I can tell, static and dynamic > challenge-response isn't available if you're using a plugin or script > for authentication. So if you're ready to take the plunge into using > the management interface, you can do it. Otherwise, you're stuck with > concatenating the OTP token to the password. Static challenge can be used with plugins and scripts on the server -- management-auth not required. Here is a pared down example of what I use: Add to client config static-challenge "OTP " 1 This causes the openvpn client (or its UI/GUI) to prompt separately for username, password and OTP . The prompt text for the latter is taken from the first argument to static-challenge. The second arg (1 above) controls echo-ing of the pin. See the man page of openvpn for details. This prompt is also supported by OpenVPN-GUI on windows and, I think, by tunnelblick, viscosity and probably others. On the server, details vary depending on the need and verification mechanism used. I use PAM for which one adds to the server config: plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login: USERNAME Password: PASSWORD Verification OTP" (See README.auth-pam distributed with OpenVPN for how to format the above line to match your pam setup). And have a pam config /etc/pam.d/openvpn with, say, @include common-auth account required pam_access.so @include common-account @include common-password @include common-session where common-auth has auth required pam_google_authenticator.so among other modules. There are so many ways of setting up PAM depending on how the user is authenticated (unix user db, ldap, Active Directory, ...), what kind of OTP is in use etc. The above is only meant to describe the essentials. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
Hi On Wed, Apr 21, 2021 at 11:48 AM Joe Patterson wrote: > > What you're looking for is the openvpn challenge/response protocol, > which can be used when authentication is done via the management > interface. > > https://openvpn.net/community-resources/management-interface/ > describes it a bit. > > I know that the MFA portion of the management interface system I wrote > (https://github.com/j-m-patterson/ovpnherder) supports passing TOTP > tokens via static challenge (which is where you put the > "static-challenge" directive in the client config) as well as > concatenating them with the password. > > Unfortunately, as far as I can tell, static and dynamic > challenge-response isn't available if you're using a plugin or script > for authentication. So if you're ready to take the plunge into using > the management interface, you can do it. Otherwise, you're stuck with > concatenating the OTP token to the password. Static challenge can be used with plugins and scripts on the server -- management-auth not required. Here is a pared down example of what I use: Add to client config *static-challenge "OTP " 1* This causes the openvpn client (or its UI/GUI) to prompt separately for username, password and OTP . The prompt text for the latter is taken from the first argument to static-challenge. The second arg (1 above) controls echo-ing of the pin. See the man page of openvpn for details. This prompt is also supported by OpenVPN-GUI on windows and, I think, by tunnelblick, viscosity and probably others. On the server, details vary depending on the need and verification mechanism used. I use PAM for which one adds to the server config: *plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "openvpn login:USERNAME Password: PASSWORD Verification OTP"* (See README.auth-pam distributed with OpenVPN for how to format the above line to match your pam setup). And have a pam config /etc/pam.d/openvpn with, say, *@include common-authaccount required pam_access.so@include common-account@include common-password@include common-session* where common-auth has *auth required pam_google_authenticator.so* among other modules. There are so many ways of setting up PAM depending on how the user is authenticated (unix user db, ldap, Active Directory, ...), what kind of OTP is in use etc. The above is only meant to describe the essentials. Selva ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] How to send 2nd factor to server ?
What you're looking for is the openvpn challenge/response protocol, which can be used when authentication is done via the management interface. https://openvpn.net/community-resources/management-interface/ describes it a bit. I know that the MFA portion of the management interface system I wrote (https://github.com/j-m-patterson/ovpnherder) supports passing TOTP tokens via static challenge (which is where you put the "static-challenge" directive in the client config) as well as concatenating them with the password. Unfortunately, as far as I can tell, static and dynamic challenge-response isn't available if you're using a plugin or script for authentication. So if you're ready to take the plunge into using the management interface, you can do it. Otherwise, you're stuck with concatenating the OTP token to the password. On Tue, Apr 20, 2021 at 3:59 PM Bogdan Rudas via Openvpn-users wrote: > > Hello! > > I've read a couple of guidelines regarding MFA with OpenVPN and all of them > mention that the 2nd factor could be either sent as password (with client > cert auth) or appended to the password string. Well, people tend to enter a > password when they see the password field. > At the moment the only straightforward and more or less human-friendly way to > set up login+password+2fa authentication is to use a kind of 'push token' MFA > (so the user confirms login in some mobile application). > OTP, password cards and any other way that demands text input from the user > demands to much from the users, they need blindly enter the password, then > type 2nd factor, can't see what they type and don't even know if > authentication failed because of wrong password or wrong OTP numbers (for > example). > Is it possible to ask the user for the 2nd factor like OpenVPN client asks > for login and password and send discrete error messages for password and for > 2nd factor failures? > > Thank you. > -- > Bogdan Rudas > Director of IT Europe > Exadel Inc. > http://www.exadel.com/ > E-mail: bru...@exadel.com > Skype ID: bogdan.rudas > > > > CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. > If you are not the intended recipient you are hereby notified that using, > copying, distributing or taking any action in reliance on the contents of > this information is strictly prohibited. If you have received this email in > error please notify the sender and delete this email. > > ___ > Openvpn-users mailing list > Openvpn-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-users ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] How to send 2nd factor to server ?
Hello! I've read a couple of guidelines regarding MFA with OpenVPN and all of them mention that the 2nd factor could be either sent as password (with client cert auth) or appended to the password string. Well, people tend to enter a password when they see the password field. At the moment the only straightforward and more or less human-friendly way to set up login+password+2fa authentication is to use a kind of 'push token' MFA (so the user confirms login in some mobile application). OTP, password cards and any other way that demands text input from the user demands to much from the users, they need blindly enter the password, then type 2nd factor, can't see what they type and don't even know if authentication failed because of wrong password or wrong OTP numbers (for example). Is it possible to ask the user for the 2nd factor like OpenVPN client asks for login and password and send discrete error messages for password and for 2nd factor failures? Thank you. -- Bogdan Rudas Director of IT Europe Exadel Inc. http://www.exadel.com/ E-mail: bru...@exadel.com Skype ID: bogdan.rudas -- CONFIDENTIALITY NOTICE: This email and files attached to it are confidential. If you are not the intended recipient you are hereby notified that using, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error please notify the sender and delete this email. ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
