On Tue, 31 Mar 2015, Dmitri Pal wrote:
On 03/31/2015 05:30 PM, Andrew Holway wrote:
Hello FreeIPA people,
I must say that FreeIPA v4 looks very pretty and I am looking
forward to trying out the new features.
I'm wondering what application and tools can be used to authenticate
with the OTP in freeipa. For instance, if we wanted to set up a VPN
that uses it how might we go about that? Is there a common library
that I should look out for?
With VPN you usually do the following:
a) Pick a VPN of your choice based on features and needs you have
b) Make sure the VPN server supports different authentication methods.
You need at least RADIUS which is the most popular option and I would
be surprise to find VPN server that does not talk RADIUS to actually
do the authentication.
c) Setup freeRADIUS server on Fedora 21/RHEL 7.1/Centos 7.1 (when it
happens) box , configure it to do kinit authentication or pam
authentication via SSSD against IPA, see freeRADIUS manuals for more
details
d) Connect VPN server to the RADIUS server
e) Provision tokens (or hook IPA to existing OTP solution using
another RADIUS server)
f) Profit
If you have an application that can use RADIUS in such setup you can
use FreeIPA 2FA.
Also see http://www.freeipa.org/page/Web_App_Authentication how to
enable any web application to take advantage of the IPA authentication
including 2FA.
It is simple to configure OpenVPN with authentication against FreeIPA in
Fedora 21, all the heavy lifting is done by SSSD:
# grep plugin /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME
password PASSWORD"
# LANG=C ls -l /etc/pam.d/openvpn
lrwxrwxrwx. 1 root root 11 Apr 1 10:55 /etc/pam.d/openvpn -> system-auth
# LANG=C ipa user-show vpnuser
User login: vpnuser
First name: VPN
Last name: TestUser
Home directory: /home/vpnuser
Login shell: /bin/sh
Email address: [email protected]
UID: 1792600005
GID: 1792600005
Account disabled: False
User authentication types: otp
Password: True
Member of groups: ipausers
Kerberos keys available: True
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: received
command code: 0
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: USER:
vpnuser
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
my_conv[0] query='login:' style=2
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name
match found, query/match-string ['login:', 'login'] = 'USERNAME'
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
my_conv[0] query='Password: ' style=1
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND: name
match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser
Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth):
authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=vpnuser
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232
PLUGIN_CALL: POST
/usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY
status=0
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS:
Username/Password authentication succeeded for username 'vpnuser'
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
