using pam_linotp along with openvpn and openvpn's ldap plugin
alext...@gmail.com
I am using pam_linotp module to authenticate OpenVPN users against LinOTP server. My purpose is to use this pam_linotp module along with openvpn's plugin (openvpn-auth-ldap) for authentication against an ldap.
Before, I was using openvpn-auth-ldap plugin and google-authenticator pam module and a user would provide the client an ldap password and the OTP like <ldap.pass+OTP> (the openvpn server configuration says... first:ldap authentication, second: OTP check).
Replacing google-authenticator pam with pam_linotp module doesn't work providing <ldap.pass+PIN+OTP>.
logs:
-linotp server:
2014/02/10 - 10:38:50 WARNI {140235505108736} [linotp.lib.token][finish_check_TokenList #1310] [__checkTokenList] user u'username'@u'local' failed to authenticate.
-openvpn server:
Mon Feb 10 10:38:45 2014 us=240636 clientIP:1036 PLUGIN_CALL: POST /usr/lib/openvpn/plugin/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
--(the above mean ldap-plugin authentication success!!)--
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: username
AUTH-PAM: BACKGROUND: my_conv[0] query='Your OTP:' style=1
AUTH-PAM: BACKGROUND: user 'username' failed to authenticate: Authentication failure
My questions are:
- am I doing something wrong?
or
- pam_linotp is not made to work like this?
thank you,
Alex
Cornelius Kölbel
if you are only using pam_linotp, everything, that is typed at the
prompt "Your OTP" is sent to the LinOTP server.
Everything-that-is-typed-at-the-prompt-Your-OTP may be a
fixedpassword+otpvalue.
So the pam-linotp module has a simple logic, just forwarding the
complete "password" to the LinOTP server.
The LinOTP server know needs to split "fixedpassword+otpvalue".
It does this, as it knows how log the otpvalue of the tokens of a user
can be, so it gets the "fixedpassword".
LinOTP now has different means to validate the "fixedpassword". It can
use an OTP-PIN, that was set for this very token, or it can authenticate
the user within the useridresolver.
In case of passwdresolver, this would be a crypted password in the file,
in case of LDAP it would be a bind with the password against the ldap
server.
Unfortunately, the LDAPresolver is not part of the community edition. To
use the ldap resolver, you need to license the enterprise edition.
In your scenario you could take a different approach, by stacking
several pam modules:
auth required pam_ldap
auth required pam_linotp
Thus you would get two password prompts, but you could enter ldap
password, otp pin and otp value.
Kind regards
Cornelius
Cornelius Kölbel
(Head of Product Management)
http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Tel: +49 6151 86086-252, Fax: -299, Mobil: +49 160 96307089
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschaeftsfuehrer: Oliver Michel, Sven Walther
alext...@gmail.com
> In your scenario you could take a different approach, by stacking
> several pam modules:
>
> auth required pam_ldap
>
> auth required pam_linotp
>
> Thus you would get two password prompts, but you could enter ldap
> password, otp pin and otp value.
I already use auth-ldap openvpn's plugin which suits me well, so I would'd try pam_ldap, so...
so far I understand that pam_linotp takes <fixedpassword+otpvalue> and passes it to LinOTP server. There it is split to <fixedpassword> and <otpvalue>. <otpvalue> is check against otp and <fixedpassword> against:
- PIN OTP
- passwd - useridresolver = passwdresolver
- ldap - useridresolver = ldap (in enterprise edition)
(no order, whatever is configured)
- So, how can I not set an OTP-PIN ? just not typing anything when prompt ?
- Using the passwdresolver, and not set an OTP-PIN the <fixedpassword> should be checked against passwd.
- How can I change the "style=1" value in pam_linotp so I can see in pam logs what is the password send to linotp server ?
Can the above be set?
thanks in advance,
Alex
Cornelius Kölbel
Am 10.02.2014 13:52, schrieb alext...@gmail.com:
> Hi Cornelius,
>
>> In your scenario you could take a different approach, by stacking
>> several pam modules:
>>
>> auth required pam_ldap
>>
>> auth required pam_linotp
>>
>> Thus you would get two password prompts, but you could enter ldap
>> password, otp pin and otp value.
> I already use auth-ldap openvpn's plugin which suits me well, so I would'd try pam_ldap, so...
>
> so far I understand that pam_linotp takes <fixedpassword+otpvalue> and passes it to LinOTP server. There it is split to <fixedpassword> and <otpvalue>. <otpvalue> is check against otp and <fixedpassword> against:
>
> - PIN OTP
> - passwd - useridresolver = passwdresolver
> - ldap - useridresolver = ldap (in enterprise edition)
>
> (no order, whatever is configured)
>
> - So, how can I not set an OTP-PIN ? just not typing anything when prompt ?
http://linotp.org/doc/latest/part-management/policy/authentication.html
to determine, if fixed part should be
a) the otp pin given to the token
b) the password of the useridresolver
c) nothing/empty.
> - Using the passwdresolver, and not set an OTP-PIN the <fixedpassword> should be checked against passwd.
communication between pam_linotp and linotp but the echo of the letters
being typed.
Kind regards
Cornelius
> Can the above be set?
>
>
> thanks in advance,
> Alex
>
alext...@gmail.com
I gave values like:
Policy name: noPIN
Scope: authentication
Action: otppin=1 (the doc says it should check the passwd file)
User: <nothing here>
Realm: local (this is the name I gave to it at the first place)
Client: <nothing here>
Time: <nothing here>
also checked the "active" checkbox, so in the list there is "Active 1".
But the validation interface (.../validate/check?...) comes with:
"error": {"message": "validate/check failed: Sorry, currently no support for shadow passwords","code": -311}
should I specify something more?
Alex
Cornelius Kölbel
if you want to use passwords from a users file, you need to create a new
users file.
It will not work with /etc/passwd, since the passwords are located in
/etc/shadow.
use the tool
linotp-create-pwidresolver-user
kind regards
Cornelius
alext...@gmail.com
reading the man page of linotp-create-pwidresolver-user I created a passwd file for a user:
linotp-create-pwidresolver-user -u username -i uid -p password > passwd-file
Then created a new useridresolver based on this file and a new realm as well.
In the policy settings :
Policy name: noPIN
Scope: authentication
Action: otppin=1
User: <nothing here>
Realm: test
Client: <nothing here>
Time: <nothing here>
The /validate/check interface returned "true" only when I provided the realm (&realm=test&...) or when I set this realm as default.
By the way is there a way to create the passwird file for more than one users, like copying the local users from passwd?
regards,
Alex
Cornelius Kölbel
Am 11.02.2014 12:28, schrieb alext...@gmail.com:
> Hi Cornelius,
>
> reading the man page of linotp-create-pwidresolver-user I created a passwd file for a user:
>
> linotp-create-pwidresolver-user -u username -i uid -p password > passwd-file
>
> Then created a new useridresolver based on this file and a new realm as well.
> In the policy settings :
>
> Policy name: noPIN
> Scope: authentication
> Action: otppin=1
> User: <nothing here>
> Realm: test
> Client: <nothing here>
> Time: <nothing here>
>
> The /validate/check interface returned "true" only when I provided the realm (&realm=test&...) or when I set this realm as default.
>
> By the way is there a way to create the passwird file for more than one users, like copying the local users from passwd?
linotp-create-pwidresolver-user -u username2 -i uid -p password2 >> passwd-file
or you could add all users from /etc/passwd...
...but without password:
cat /etc/passwd >> passwd-file
Kind regards
Cpornelius
>
> regards,
wism...@gmail.com
hope for Help
Thank you,
wismartzy
mirko....@lsexperts.de
there are several PAM based ways to authenticate your VPN server against LDAP and verify the OTP with LinOTP:
* you can stack pam_ldap and pam_linotp
* you can connect LinOTP to your LDAP server and only use pam_linotp for both checks
* you could use a RADIUS server, which asks LinOTP for the correctness of the LDAP password and the OTP
In addition you probably have to make changes to your VPN configuration. In any case you don't need the google-authenticator PAM module for LinOTP.
For a detailed authentication setup for LinOTP and VPN please consult:
http://www.linotp.org/howtos/howto-openvpn.html
If you encounter any problems or if you have questions, please ask again.
Mirko Ahnert
--
Mirko Ahnert
LSE Leading Security Experts GmbH, http://www.lsexperts.de
Postfach 100121, 64201 Darmstadt, Germany
Zentrale: +49 6151 86086-0 , Fax: -299
Support Hotline: +49 6151 86086-115
Unternehmenssitz: Weiterstadt Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther
wism...@gmail.com
Thanks for your detailed advice
The current situationand is i have my openvpn authenticated by openvpn-auth-ldap plugin, and now i want to add a 2-step verification(google-authenticator) to my openvpn,but i don't now how to do.
Anyway, Thanks for your help again, i will have a try on LinOTP.
wismartzy