subject:"Re\: \[Freeipa\-users\] OTP integrations"

Re: [Freeipa-users] OTP integrations

2015-04-01 Thread Simo Sorce

On Wed, 2015-04-01 at 12:33 -0400, Dmitri Pal wrote:
> On 04/01/2015 12:29 PM, Andrew Holway wrote:
> >
> > Yes. But stored in LDAP.
> >
> >
> > Stored in LDAP salted I assume?
> >
> Yes. As the standard prescribes.

Except for the RC4 keys, but the whole keyset is encrypted with the
master key, so the hashes cannot be seen even if you have access to the
LDAP attribute.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

2015-04-01 Thread Dmitri Pal


On 04/01/2015 12:29 PM, Andrew Holway wrote:


Yes. But stored in LDAP.


Stored in LDAP salted I assume?


Yes. As the standard prescribes.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

2015-04-01 Thread Andrew Holway

>
> Yes. But stored in LDAP.
>

Stored in LDAP salted I assume?
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

2015-04-01 Thread Dmitri Pal


On 04/01/2015 11:46 AM, Andrew Holway wrote:

Thanks Alexander.

What happens to the passwords? Are they hashed by Kerberos?


Yes. But stored in LDAP.



On 1 April 2015 at 15:14, Alexander Bokovoy > wrote:


On Wed, 01 Apr 2015, Andrew Holway wrote:

Please could someone explain to me what is happening internally?

In my head I have the following process

The openvpn pam module sends the username and password to pam.
Pam passes this onto sssd
sssd then does the kerberos thing
kerberos passes the password to the LDAP

KDC passes request to ipa-otpd daemon (our RADIUS-like proxy)
which then
binds to IPA LDAP to verify the password

some LDAP module takes the password from the database, appends
on the OTP
and actually does the auth...

Yes, the rest is correct.

http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture
from on "the Kerberos thing"




On 1 April 2015 at 13:15, Andrew Holway
mailto:andrew.hol...@gmail.com>> wrote:


 It is simple to configure OpenVPN with
authentication against FreeIPA in

Fedora 21, all the heavy lifting is done by SSSD:


I have to say that this sssd / pam method is working very
very well.

I do however need to get my head around radius. Something
for a rainy
sunday I think :).





# grep plugin /etc/openvpn/server.conf
plugin
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
"openvpn
login USERNAME password PASSWORD"

# LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root
root 11 Apr  1 10:55
/etc/pam.d/openvpn -> system-auth

# LANG=C ipa user-show vpnuser
 User login: vpnuser
 First name: VPN
 Last name: TestUser
 Home directory: /home/vpnuser
 Login shell: /bin/sh
 Email address: vpnu...@example.com

 UID: 179265
 GID: 179265
 Account disabled: False
 User authentication types: otp
 Password: True
 Member of groups: ipausers
 Kerberos keys available: True

Apr 01 11:24:50 ipa.example.com
 openvpn[29723]: AUTH-PAM:
BACKGROUND:
received command code: 0
Apr 01 11:24:50 ipa.example.com
 openvpn[29723]: AUTH-PAM:
BACKGROUND:
USER: vpnuser
Apr 01 11:24:50 ipa.example.com
 openvpn[29723]: AUTH-PAM:
BACKGROUND:
my_conv[0] query='login:' style=2
Apr 01 11:24:50 ipa.example.com
 openvpn[29723]: AUTH-PAM:
BACKGROUND:
name match found, query/match-string ['login:',
'login'] = 'USERNAME'
Apr 01 11:24:50 ipa.example.com
 openvpn[29723]: AUTH-PAM:
BACKGROUND:
my_conv[0] query='Password: ' style=1
Apr 01 11:24:50 ipa.example.com
 openvpn[29723]: AUTH-PAM:
BACKGROUND:
name match found, query/match-string ['Password: ',
'password'] = 'PASSWORD'
Apr 01 11:24:50 ipa.example.com
 openvpn[29724]:
pam_unix(openvpn:auth):
authentication failure; logname= uid=0 euid=0 tty=
ruser= rhost=
user=vpnuser
Apr 01 11:24:53 ipa.example.com
 openvpn[29724]:
pam_sss(openvpn:auth):
authentication success; logname= uid=0 euid=0 tty=
ruser= rhost=
user=vpnuser
Apr 01 11:24:55 ipa.example.com
 openvpn[29732]:
MY-IP_ADDRESS:50232
PLUGIN_CALL: POST
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/

PLUGIN_AUTH_USER_PASS_VERIFY status=0
Apr 01 11:24:55 ipa.example.com
 openvpn[29732]:
MY-IP-ADDRESS:50232 TLS:
Username/Password authentication succeeded for
username 'vpnuser'


--
/ Alexander Bokovoy

--
Manage your su

Re: [Freeipa-users] OTP integrations

2015-04-01 Thread Andrew Holway

Thanks Alexander.

What happens to the passwords? Are they hashed by Kerberos?

On 1 April 2015 at 15:14, Alexander Bokovoy  wrote:

> On Wed, 01 Apr 2015, Andrew Holway wrote:
>
>> Please could someone explain to me what is happening internally?
>>
>> In my head I have the following process
>>
>> The openvpn pam module sends the username and password to pam.
>> Pam passes this onto sssd
>> sssd then does the kerberos thing
>> kerberos passes the password to the LDAP
>>
> KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then
> binds to IPA LDAP to verify the password
>
>> some LDAP module takes the password from the database, appends on the OTP
>> and actually does the auth...
>>
> Yes, the rest is correct.
>
> http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture
> from on "the Kerberos thing"
>
>
>
>>
>> On 1 April 2015 at 13:15, Andrew Holway  wrote:
>>
>>
>>>   It is simple to configure OpenVPN with authentication against FreeIPA
> in
>
 Fedora 21, all the heavy lifting is done by SSSD:


>>> I have to say that this sssd / pam method is working very very well.
>>>
>>> I do however need to get my head around radius. Something for a rainy
>>> sunday I think :).
>>>
>>>
>>>
>>>
>>>
 # grep plugin /etc/openvpn/server.conf
 plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn
 login USERNAME password PASSWORD"

 # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr  1
 10:55
 /etc/pam.d/openvpn -> system-auth

 # LANG=C ipa user-show vpnuser
  User login: vpnuser
  First name: VPN
  Last name: TestUser
  Home directory: /home/vpnuser
  Login shell: /bin/sh
  Email address: vpnu...@example.com
  UID: 179265
  GID: 179265
  Account disabled: False
  User authentication types: otp
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
 received command code: 0
 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
 USER: vpnuser
 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
 my_conv[0] query='login:' style=2
 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
 name match found, query/match-string ['login:', 'login'] = 'USERNAME'
 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
 my_conv[0] query='Password: ' style=1
 Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
 name match found, query/match-string ['Password: ', 'password'] =
 'PASSWORD'
 Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth):
 authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
 user=vpnuser
 Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth):
 authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
 user=vpnuser
 Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232
 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/ope
 nvpn-plugin-auth-pam.so/
 PLUGIN_AUTH_USER_PASS_VERIFY status=0
 Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232
 TLS:
 Username/Password authentication succeeded for username 'vpnuser'


 --
 / Alexander Bokovoy

 --
 Manage your subscription for the Freeipa-users mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-users
 Go to http://freeipa.org for more info on the project


>>>
>>>
> --
> / Alexander Bokovoy
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

2015-04-01 Thread Alexander Bokovoy


On Wed, 01 Apr 2015, Andrew Holway wrote:

Please could someone explain to me what is happening internally?

In my head I have the following process

The openvpn pam module sends the username and password to pam.
Pam passes this onto sssd
sssd then does the kerberos thing
kerberos passes the password to the LDAP

KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then
binds to IPA LDAP to verify the password

some LDAP module takes the password from the database, appends on the OTP
and actually does the auth...

Yes, the rest is correct.

http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture
from on "the Kerberos thing"




On 1 April 2015 at 13:15, Andrew Holway  wrote:




 It is simple to configure OpenVPN with authentication against FreeIPA in

Fedora 21, all the heavy lifting is done by SSSD:



I have to say that this sssd / pam method is working very very well.

I do however need to get my head around radius. Something for a rainy
sunday I think :).






# grep plugin /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn
login USERNAME password PASSWORD"

# LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr  1 10:55
/etc/pam.d/openvpn -> system-auth

# LANG=C ipa user-show vpnuser
 User login: vpnuser
 First name: VPN
 Last name: TestUser
 Home directory: /home/vpnuser
 Login shell: /bin/sh
 Email address: vpnu...@example.com
 UID: 179265
 GID: 179265
 Account disabled: False
 User authentication types: otp
 Password: True
 Member of groups: ipausers
 Kerberos keys available: True

Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
received command code: 0
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
USER: vpnuser
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
my_conv[0] query='login:' style=2
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
name match found, query/match-string ['login:', 'login'] = 'USERNAME'
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
my_conv[0] query='Password: ' style=1
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=vpnuser
Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth):
authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
user=vpnuser
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232
PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
PLUGIN_AUTH_USER_PASS_VERIFY status=0
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS:
Username/Password authentication succeeded for username 'vpnuser'


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project






--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

2015-04-01 Thread Andrew Holway

Please could someone explain to me what is happening internally?

In my head I have the following process

The openvpn pam module sends the username and password to pam.
Pam passes this onto sssd
sssd then does the kerberos thing
kerberos passes the password to the LDAP
some LDAP module takes the password from the database, appends on the OTP
and actually does the auth...


On 1 April 2015 at 13:15, Andrew Holway  wrote:

>
>>>  It is simple to configure OpenVPN with authentication against FreeIPA in
>> Fedora 21, all the heavy lifting is done by SSSD:
>>
>
> I have to say that this sssd / pam method is working very very well.
>
> I do however need to get my head around radius. Something for a rainy
> sunday I think :).
>
>
>
>
>>
>> # grep plugin /etc/openvpn/server.conf
>> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn
>> login USERNAME password PASSWORD"
>>
>> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr  1 10:55
>> /etc/pam.d/openvpn -> system-auth
>>
>> # LANG=C ipa user-show vpnuser
>>  User login: vpnuser
>>  First name: VPN
>>  Last name: TestUser
>>  Home directory: /home/vpnuser
>>  Login shell: /bin/sh
>>  Email address: vpnu...@example.com
>>  UID: 179265
>>  GID: 179265
>>  Account disabled: False
>>  User authentication types: otp
>>  Password: True
>>  Member of groups: ipausers
>>  Kerberos keys available: True
>>
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> received command code: 0
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> USER: vpnuser
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> my_conv[0] query='login:' style=2
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> name match found, query/match-string ['login:', 'login'] = 'USERNAME'
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> my_conv[0] query='Password: ' style=1
>> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
>> name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
>> Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth):
>> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
>> user=vpnuser
>> Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth):
>> authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
>> user=vpnuser
>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232
>> PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
>> PLUGIN_AUTH_USER_PASS_VERIFY status=0
>> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS:
>> Username/Password authentication succeeded for username 'vpnuser'
>>
>>
>> --
>> / Alexander Bokovoy
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

2015-04-01 Thread Andrew Holway

>
>
>>  It is simple to configure OpenVPN with authentication against FreeIPA in
> Fedora 21, all the heavy lifting is done by SSSD:
>

I have to say that this sssd / pam method is working very very well.

I do however need to get my head around radius. Something for a rainy
sunday I think :).




>
> # grep plugin /etc/openvpn/server.conf
> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn
> login USERNAME password PASSWORD"
>
> # LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr  1 10:55
> /etc/pam.d/openvpn -> system-auth
>
> # LANG=C ipa user-show vpnuser
>  User login: vpnuser
>  First name: VPN
>  Last name: TestUser
>  Home directory: /home/vpnuser
>  Login shell: /bin/sh
>  Email address: vpnu...@example.com
>  UID: 179265
>  GID: 179265
>  Account disabled: False
>  User authentication types: otp
>  Password: True
>  Member of groups: ipausers
>  Kerberos keys available: True
>
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> received command code: 0
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> USER: vpnuser
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> my_conv[0] query='login:' style=2
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> name match found, query/match-string ['login:', 'login'] = 'USERNAME'
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> my_conv[0] query='Password: ' style=1
> Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
> name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
> Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth):
> authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
> user=vpnuser
> Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth):
> authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
> user=vpnuser
> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232
> PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
> PLUGIN_AUTH_USER_PASS_VERIFY status=0
> Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS:
> Username/Password authentication succeeded for username 'vpnuser'
>
>
> --
> / Alexander Bokovoy
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

2015-04-01 Thread Alexander Bokovoy


On Tue, 31 Mar 2015, Dmitri Pal wrote:

On 03/31/2015 05:30 PM, Andrew Holway wrote:

Hello FreeIPA people,

I must say that FreeIPA v4 looks very pretty and I am looking 
forward to trying out the new features.


I'm wondering what application and tools can be used to authenticate 
with the OTP in freeipa. For instance, if we wanted to set up a VPN 
that uses it how might we go about that? Is there a common library 
that I should look out for?


With VPN you usually do the following:
a) Pick a VPN of your choice based on features and needs you have
b) Make sure the VPN server supports different authentication methods. 
You need at least RADIUS which is the most popular option and I would 
be surprise to find VPN server that does not talk RADIUS to actually 
do the authentication.
c) Setup freeRADIUS server on Fedora 21/RHEL 7.1/Centos 7.1 (when it 
happens) box , configure it to do kinit authentication or pam 
authentication via SSSD against IPA, see freeRADIUS manuals for more 
details

d) Connect VPN server to the RADIUS server
e) Provision tokens (or hook IPA to existing OTP solution using 
another RADIUS server)

f) Profit

If you have an application that can use RADIUS in such setup you can 
use FreeIPA 2FA.
Also see http://www.freeipa.org/page/Web_App_Authentication how to 
enable any web application to take advantage of the IPA authentication 
including 2FA.

It is simple to configure OpenVPN with authentication against FreeIPA in
Fedora 21, all the heavy lifting is done by SSSD:

# grep plugin /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME 
password PASSWORD"

# LANG=C ls -l /etc/pam.d/openvpn 
lrwxrwxrwx. 1 root root 11 Apr  1 10:55 /etc/pam.d/openvpn -> system-auth


# LANG=C ipa user-show vpnuser
 User login: vpnuser
 First name: VPN
 Last name: TestUser
 Home directory: /home/vpnuser
 Login shell: /bin/sh
 Email address: vpnu...@example.com
 UID: 179265
 GID: 179265
 Account disabled: False
 User authentication types: otp
 Password: True
 Member of groups: ipausers
 Kerberos keys available: True

Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: received 
command code: 0
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: USER: 
vpnuser
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: 
my_conv[0] query='login:' style=2
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name 
match found, query/match-string ['login:', 'login'] = 'USERNAME'
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: 
my_conv[0] query='Password: ' style=1
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name 
match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth): 
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser
Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth): 
authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232 
PLUGIN_CALL: POST 
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY
 status=0
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS: 
Username/Password authentication succeeded for username 'vpnuser'


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

2015-03-31 Thread Dmitri Pal


On 03/31/2015 05:30 PM, Andrew Holway wrote:

Hello FreeIPA people,

I must say that FreeIPA v4 looks very pretty and I am looking forward 
to trying out the new features.


I'm wondering what application and tools can be used to authenticate 
with the OTP in freeipa. For instance, if we wanted to set up a VPN 
that uses it how might we go about that? Is there a common library 
that I should look out for?


With VPN you usually do the following:
a) Pick a VPN of your choice based on features and needs you have
b) Make sure the VPN server supports different authentication methods. 
You need at least RADIUS which is the most popular option and I would be 
surprise to find VPN server that does not talk RADIUS to actually do the 
authentication.
c) Setup freeRADIUS server on Fedora 21/RHEL 7.1/Centos 7.1 (when it 
happens) box , configure it to do kinit authentication or pam 
authentication via SSSD against IPA, see freeRADIUS manuals for more details

d) Connect VPN server to the RADIUS server
e) Provision tokens (or hook IPA to existing OTP solution using another 
RADIUS server)

f) Profit

If you have an application that can use RADIUS in such setup you can use 
FreeIPA 2FA.
Also see http://www.freeipa.org/page/Web_App_Authentication how to 
enable any web application to take advantage of the IPA authentication 
including 2FA.





Thanks,

Andrew







--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

Re: [Freeipa-users] OTP integrations

Re: [Freeipa-users] OTP integrations

Re: [Freeipa-users] OTP integrations

Re: [Freeipa-users] OTP integrations

Re: [Freeipa-users] OTP integrations

Re: [Freeipa-users] OTP integrations

Re: [Freeipa-users] OTP integrations

Re: [Freeipa-users] OTP integrations

Re: [Freeipa-users] OTP integrations

10 matches

Site Navigation

Mail list logo

Footer information