Re: [Freeipa-users] OTP integrations

Alexander Bokovoy Wed, 01 Apr 2015 06:18:42 -0700

On Wed, 01 Apr 2015, Andrew Holway wrote:

Please could someone explain to me what is happening internally?


In my head I have the following process....

The openvpn pam module sends the username and password to pam.
Pam passes this onto sssd
sssd then does the kerberos thing
kerberos passes the password to the LDAP

KDC passes request to ipa-otpd daemon (our RADIUS-like proxy) which then
binds to IPA LDAP to verify the password

some LDAP module takes the password from the database, appends on the OTP
and actually does the auth...

Yes, the rest is correct.

http://www.freeipa.org/images/d/d1/FreeIPA_OTP.png is the full picture
from on "the Kerberos thing"



On 1 April 2015 at 13:15, Andrew Holway <[email protected]> wrote:

 It is simple to configure OpenVPN with authentication against FreeIPA in

Fedora 21, all the heavy lifting is done by SSSD:


I have to say that this sssd / pam method is working very very well.

I do however need to get my head around radius. Something for a rainy
sunday I think :).


# grep plugin /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn
login USERNAME password PASSWORD"

# LANG=C ls -l /etc/pam.d/openvpn lrwxrwxrwx. 1 root root 11 Apr  1 10:55
/etc/pam.d/openvpn -> system-auth

# LANG=C ipa user-show vpnuser
 User login: vpnuser
 First name: VPN
 Last name: TestUser
 Home directory: /home/vpnuser
 Login shell: /bin/sh
 Email address: [email protected]
 UID: 1792600005
 GID: 1792600005
 Account disabled: False
 User authentication types: otp
 Password: True
 Member of groups: ipausers
 Kerberos keys available: True

Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
received command code: 0
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
USER: vpnuser
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
my_conv[0] query='login:' style=2
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
name match found, query/match-string ['login:', 'login'] = 'USERNAME'
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
my_conv[0] query='Password: ' style=1
Apr 01 11:24:50 ipa.example.com openvpn[29723]: AUTH-PAM: BACKGROUND:
name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
Apr 01 11:24:50 ipa.example.com openvpn[29724]: pam_unix(openvpn:auth):
authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
user=vpnuser
Apr 01 11:24:53 ipa.example.com openvpn[29724]: pam_sss(openvpn:auth):
authentication success; logname= uid=0 euid=0 tty= ruser= rhost=
user=vpnuser
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP_ADDRESS:50232
PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/
PLUGIN_AUTH_USER_PASS_VERIFY status=0
Apr 01 11:24:55 ipa.example.com openvpn[29732]: MY-IP-ADDRESS:50232 TLS:
Username/Password authentication succeeded for username 'vpnuser'


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP integrations

Reply via email to