[Freeipa-users] FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
Hello everyone, I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled. FreeIPA Setup: CentOS 7.5 FreeIPA 4.5.4 HBAC Service: openvpn HBAC Rule: [root@ipa ~]# ipa hbacrule-show openvpn_access Rule name: openvpn_access Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. Enabled: TRUE Users: Hosts: vpnhost.localdomain.local Services: openvpn User account: [root@ipa ~]# ipa user-show User login: First name: Last name: Home directory: /home/ Login shell: /bin/bash Principal name: Principal alias: Email address: UID: 190963 GID: 190963 User authentication types: otp Certificate: Account disabled: False Password: True Member of groups: vpn_users Member of HBAC rule: openvpn_access Indirect Member of HBAC rule: user_ipa_access Kerberos keys available: True OpenVPN server: /etc/pam.d/openvpn #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authrequired pam_faildelay.so delay=200 auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth[default=1 ignore=ignore success=ok] pam_localuser.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 1000 quiet_success authsufficientpam_sss.so forward_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts. Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
Hello everyone, I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled. FreeIPA Setup: CentOS 7.5 FreeIPA 4.5.4 HBAC Service: openvpn HBAC Rule: [root@ipa ~]# ipa hbacrule-show openvpn_access Rule name: openvpn_access Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. Enabled: TRUE Users: Hosts: vpnhost.localdomain.local Services: openvpn User account: [root@ipa ~]# ipa user-show User login: First name: Last name: Home directory: /home/ Login shell: /bin/bash Principal name: Principal alias: Email address: UID: 190963 GID: 190963 User authentication types: otp Certificate: Account disabled: False Password: True Member of groups: vpn_users Member of HBAC rule: openvpn_access Indirect Member of HBAC rule: user_ipa_access Kerberos keys available: True OpenVPN server: /etc/pam.d/openvpn #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authrequired pam_faildelay.so delay=200 auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth[default=1 ignore=ignore success=ok] pam_localuser.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 1000 quiet_success authsufficientpam_sss.so forward_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts. Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
Hello everyone, I'm having an issue with OTP when logging into a vpn server that is a client of FreeIPA. I can login with no issues when OTP is disabled. FreeIPA Setup: CentOS 7.5 FreeIPA 4.5.4 HBAC Service: openvpn HBAC Rule: [root@ipa ~]# ipa hbacrule-show openvpn_access Rule name: openvpn_access Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. Enabled: TRUE Users: Hosts: vpnhost.localdomain.local Services: openvpn User account: [root@ipa ~]# ipa user-show User login: First name: Last name: Home directory: /home/ Login shell: /bin/bash Principal name: Principal alias: Email address: UID: 190963 GID: 190963 User authentication types: otp Certificate: Account disabled: False Password: True Member of groups: vpn_users Member of HBAC rule: openvpn_access Indirect Member of HBAC rule: user_ipa_access Kerberos keys available: True OpenVPN server: /etc/pam.d/openvpn #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authrequired pam_faildelay.so delay=200 auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth[default=1 ignore=ignore success=ok] pam_localuser.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 1000 quiet_success authsufficientpam_sss.so forward_pass authrequired pam_deny.so account required pam_unix.so account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so passwordrequisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass use_authtok passwordsufficientpam_sss.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so server.conf plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn Any help would be greatly appreciated. Any other information that you may need, please feel free to ask. I've read multiple threads, some have gotten it to work without posting answers, some have not and has stated openvpn does not support multiple prompts. Eric ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org