[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
On Thu, Nov 08, 2018 at 06:51:22PM -, Eric Fredrickson via FreeIPA-users wrote: > Hello everyone, > > I'm having an issue with OTP when logging into a vpn server that is a client > of FreeIPA. I can login with no issues when OTP is disabled. > > FreeIPA Setup: > CentOS 7.5 > FreeIPA 4.5.4 > > HBAC Service: openvpn > HBAC Rule: > [root@ipa ~]# ipa hbacrule-show openvpn_access > Rule name: openvpn_access > Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. > Enabled: TRUE > Users: > Hosts: vpnhost.localdomain.local > Services: openvpn > > User account: > [root@ipa ~]# ipa user-show > User login: > First name: > Last name: > Home directory: /home/ > Login shell: /bin/bash > Principal name: > Principal alias: > Email address: > UID: 190963 > GID: 190963 > User authentication types: otp > Certificate: > Account disabled: False > Password: True > Member of groups: vpn_users > Member of HBAC rule: openvpn_access > Indirect Member of HBAC rule: user_ipa_access > Kerberos keys available: True > > OpenVPN server: > /etc/pam.d/openvpn > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > authrequired pam_env.so > authrequired pam_faildelay.so delay=200 > auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= > 1000 quiet > auth[default=1 ignore=ignore success=ok] pam_localuser.so > authsufficientpam_unix.so nullok try_first_pass > authrequisite pam_succeed_if.so uid >= 1000 quiet_success > authsufficientpam_sss.so forward_pass > authrequired pam_deny.so > > account required pam_unix.so > account sufficientpam_localuser.so > account sufficientpam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > passwordrequisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 > passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass > use_authtok > passwordsufficientpam_sss.so use_authtok > > > passwordrequired pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > server.conf > plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn Can you try plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so sshd as a workaround? This will use /etc/pam.d/sshd but there shouldn't be much difference. It looks like openvpn behaves a bit like sshd here an adds the string with long term password and token value to every prompt. Currently pam_sss only expects the 'sshd' PAM service to do so. bye, Sumit > > > Any help would be greatly appreciated. Any other information that you may > need, please feel free to ask. I've read multiple threads, some have gotten > it to work without posting answers, some have not and has stated openvpn does > not support multiple prompts. > > Eric > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
I have this working w/o HBAC rules and not using OTP. On Friday, November 16, 2018 8:21 AM, Eric via FreeIPA-users wrote: Any luck yet, Kevin? No luck here yet. On Fri, Nov 9, 2018 at 10:56 PM, Kevin Vasko wrote: I’m following this because I’m having same issue. Since the OpenVPN client won’t prompt twice for the second factor I know you have to do the whole “password+otp” (without the +) but keep getting invalid password. -Kevin > On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users > wrote: > > Hello everyone, > > I'm having an issue with OTP when logging into a vpn server that is a client > of FreeIPA. I can login with no issues when OTP is disabled. > > FreeIPA Setup: > CentOS 7.5 > FreeIPA 4.5.4 > > HBAC Service: openvpn > HBAC Rule: > [root@ipa ~]# ipa hbacrule-show openvpn_access > Rule name: openvpn_access > Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. > Enabled: TRUE > Users: > Hosts: vpnhost.localdomain.local > Services: openvpn > > User account: > [root@ipa ~]# ipa user-show > User login: > First name: > Last name: > Home directory: /home/ > Login shell: /bin/bash > Principal name: > Principal alias: > Email address: > UID: 190963 > GID: 190963 > User authentication types: otp > Certificate: > Account disabled: False > Password: True > Member of groups: vpn_users > Member of HBAC rule: openvpn_access > Indirect Member of HBAC rule: user_ipa_access > Kerberos keys available: True > > OpenVPN server: > /etc/pam.d/openvpn > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth required pam_faildelay.so delay=200 > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= > 1000 quiet > auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > > > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > server.conf > plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn > > > Any help would be greatly appreciated. Any other information that you may > need, please feel free to ask. I've read multiple threads, some have gotten > it to work without posting answers, some have not and has stated openvpn does > not support multiple prompts. > > Eric > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
Any luck yet, Kevin? No luck here yet. On Fri, Nov 9, 2018 at 10:56 PM, Kevin Vasko wrote: I’m following this because I’m having same issue. Since the OpenVPN client won’t prompt twice for the second factor I know you have to do the whole “password+otp” (without the +) but keep getting invalid password. -Kevin > On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users > wrote: > > Hello everyone, > > I'm having an issue with OTP when logging into a vpn server that is a client > of FreeIPA. I can login with no issues when OTP is disabled. > > FreeIPA Setup: > CentOS 7.5 > FreeIPA 4.5.4 > > HBAC Service: openvpn > HBAC Rule: > [root@ipa ~]# ipa hbacrule-show openvpn_access > Rule name: openvpn_access > Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. > Enabled: TRUE > Users: > Hosts: vpnhost.localdomain.local > Services: openvpn > > User account: > [root@ipa ~]# ipa user-show > User login: > First name: > Last name: > Home directory: /home/ > Login shell: /bin/bash > Principal name: > Principal alias: > Email address: > UID: 190963 > GID: 190963 > User authentication types: otp > Certificate: > Account disabled: False > Password: True > Member of groups: vpn_users > Member of HBAC rule: openvpn_access > Indirect Member of HBAC rule: user_ipa_access > Kerberos keys available: True > > OpenVPN server: > /etc/pam.d/openvpn > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth required pam_faildelay.so delay=200 > auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= > 1000 quiet > auth [default=1 ignore=ignore success=ok] pam_localuser.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_sss.so forward_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 > password sufficient pam_unix.so sha512 shadow nullok try_first_pass > use_authtok > password sufficient pam_sss.so use_authtok > > > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > server.conf > plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn > > > Any help would be greatly appreciated. Any other information that you may > need, please feel free to ask. I've read multiple threads, some have gotten > it to work without posting answers, some have not and has stated openvpn does > not support multiple prompts. > > Eric > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA 4.5.4 + OpenVPN 2.4.6 + OTP
I’m following this because I’m having same issue. Since the OpenVPN client won’t prompt twice for the second factor I know you have to do the whole “password+otp” (without the +) but keep getting invalid password. -Kevin > On Nov 8, 2018, at 12:51 PM, Eric Fredrickson via FreeIPA-users > wrote: > > Hello everyone, > > I'm having an issue with OTP when logging into a vpn server that is a client > of FreeIPA. I can login with no issues when OTP is disabled. > > FreeIPA Setup: > CentOS 7.5 > FreeIPA 4.5.4 > > HBAC Service: openvpn > HBAC Rule: > [root@ipa ~]# ipa hbacrule-show openvpn_access > Rule name: openvpn_access > Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service. > Enabled: TRUE > Users: > Hosts: vpnhost.localdomain.local > Services: openvpn > > User account: > [root@ipa ~]# ipa user-show > User login: > First name: > Last name: > Home directory: /home/ > Login shell: /bin/bash > Principal name: > Principal alias: > Email address: > UID: 190963 > GID: 190963 > User authentication types: otp > Certificate: > Account disabled: False > Password: True > Member of groups: vpn_users > Member of HBAC rule: openvpn_access > Indirect Member of HBAC rule: user_ipa_access > Kerberos keys available: True > > OpenVPN server: > /etc/pam.d/openvpn > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > authrequired pam_env.so > authrequired pam_faildelay.so delay=200 > auth[default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= > 1000 quiet > auth[default=1 ignore=ignore success=ok] pam_localuser.so > authsufficientpam_unix.so nullok try_first_pass > authrequisite pam_succeed_if.so uid >= 1000 quiet_success > authsufficientpam_sss.so forward_pass > authrequired pam_deny.so > > account required pam_unix.so > account sufficientpam_localuser.so > account sufficientpam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_sss.so > account required pam_permit.so > > passwordrequisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 > passwordsufficientpam_unix.so sha512 shadow nullok try_first_pass > use_authtok > passwordsufficientpam_sss.so use_authtok > > > passwordrequired pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_sss.so > > server.conf > plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn > > > Any help would be greatly appreciated. Any other information that you may > need, please feel free to ask. I've read multiple threads, some have gotten > it to work without posting answers, some have not and has stated openvpn does > not support multiple prompts. > > Eric > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
