doesn't work with Google Authenticator
289 views
Skip to first unread message
Florin Andrei
Apr 10, 2018, 4:59:34 PM4/10/18
to tunnelblick-discuss
# cat /etc/pam.d/openvpn
auth required /usr/local/lib/security/pam_google_authenticator.so secret=/etc/openvpn/google-auth-users/${USER} user=root no_strict_owner echo_verification_code debug forward_pass
auth required pam_radius_auth.so debug use_first_pass
account required pam_permit.so debug
# tail -n 1 /etc/openvpn/multifactor.conf
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
In the client I have:
auth-user-pass
auth-retry interact
ns-cert-type server
In the PAM file on the server, if I comment out pam_google_authenticator and I remove use_first_pass from the Radius module, then I can authenticate just fine against FreeRadius.
The problem is, I can't make it work with pam_google_authenticator. I've tried that module alone (without forward_pass, and commenting out the Radius module). I've tried it stacked with Radius as shown above. Nothing works.
All systems are synced via NTP.
The codes are generated with the Google Authenticator app on Android.
More details:
https://github.com/google/google-authenticator-libpam/issues/95
Has anyone succeeded using Google Authenticator with openvpn and Tunnelblick?
auth required /usr/local/lib/security/pam_google_authenticator.so secret=/etc/openvpn/google-auth-users/${USER} user=root no_strict_owner echo_verification_code debug forward_pass
auth required pam_radius_auth.so debug use_first_pass
account required pam_permit.so debug
# tail -n 1 /etc/openvpn/multifactor.conf
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
In the client I have:
auth-user-pass
auth-retry interact
ns-cert-type server
In the PAM file on the server, if I comment out pam_google_authenticator and I remove use_first_pass from the Radius module, then I can authenticate just fine against FreeRadius.
The problem is, I can't make it work with pam_google_authenticator. I've tried that module alone (without forward_pass, and commenting out the Radius module). I've tried it stacked with Radius as shown above. Nothing works.
All systems are synced via NTP.
The codes are generated with the Google Authenticator app on Android.
More details:
https://github.com/google/google-authenticator-libpam/issues/95
Has anyone succeeded using Google Authenticator with openvpn and Tunnelblick?
Tunnelblick developer
Apr 10, 2018, 5:05:41 PM4/10/18
to tunnelblick-discuss
I don't think so, see https://github.com/Tunnelblick/Tunnelblick/issues/383.
Florin Andrei
Apr 10, 2018, 7:28:46 PM4/10/18
to tunnelblick-discuss
Well, according to that issue, it's possible to configure it so that the 2fa code is appended to the password and are both sent together as a "password" - pam_google_authenticator should be able to remove the 2fa code and send just the password down the PAM stack.
In fact, I had this exact configuration working, a few years ago, with Tunnelblick - but I was using Yubico for 2fa instead of Google Auth. I remember that used to work very well.
There's something different about Google Auth that I can't figure out.
In fact, I had this exact configuration working, a few years ago, with Tunnelblick - but I was using Yubico for 2fa instead of Google Auth. I remember that used to work very well.
There's something different about Google Auth that I can't figure out.
Reply all
Reply to author
Forward
0 new messages