6fbf66fa |
openvpn-auth-pam
SYNOPSIS
The openvpn-auth-pam module implements username/password
authentication via PAM, and essentially allows any authentication
method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
passwords) to be used with OpenVPN. While PAM supports
username/password authentication, this can be combined with X509
certificates to provide two indepedent levels of authentication.
This module uses a split privilege execution model which will
function even if you drop openvpn daemon privileges using the user,
group, or chroot directives.
BUILD
To build openvpn-auth-pam, you will need to have the pam-devel
package installed.
Build with the "make" command. The module will be named
openvpn-auth-pam.so
USAGE
To use this plugin module, add to your OpenVPN config file:
plugin openvpn-auth-pam.so service-type
The required service-type parameter corresponds to
the PAM service definition file usually found
in /etc/pam.d.
This plugin also supports the usage of a list of name/value
pairs to answer PAM module queries.
For example:
|
7369d01b |
plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP" |
6fbf66fa |
tells auth-pam to (a) use the "login" PAM module, (b) answer a |
7369d01b |
"login" query with the username given by the OpenVPN client,
(c) answer a "password" query with the password, and (d) answer a
"pin" query with the OTP given by the OpenVPN client.
This provides flexibility in dealing with different |
6fbf66fa |
types of query strings which different PAM modules might generate.
For example, suppose you were using a PAM module called
"test" which queried for "name" rather than "login":
plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
|
7369d01b |
While "USERNAME" "COMMONNAME" "PASSWORD" and "OTP" are special strings which substitute |
6fbf66fa |
to client-supplied values, it is also possible to name literal values
to use as PAM module query responses. For example, suppose that the
login module queried for a third parameter, "domain" which
is to be answered with the constant value "mydomain.com":
plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com"
The following OpenVPN directives can also influence
the operation of this plugin:
client-cert-not-required
username-as-common-name |
7369d01b |
static-challenge
Use of --static challenege is required to pass a pin (represented by "OTP" in
parameter substituion) or a second password. |
6fbf66fa |
Run OpenVPN with --verb 7 or higher to get debugging output from
this plugin, including the list of queries presented by the
underlying PAM module. This is a useful debugging tool to figure
out which queries a given PAM module is making, so that you can
craft the appropriate plugin directive to answer it.
CAVEATS
This module will only work on *nix systems which support PAM,
not Windows. |