01 September 2014

OpenVPN with OTP one time password by google authenticator working all the time part 4

<< Back to part 3 <<

5. Testing with pamtester :

We will need a tool named pamtester to debug when working with pam modules.

# yum install pamtester

By default, linux PAM package installed with lot of services :

# ls /etc/pam.d/
chfn fingerprint-auth password-auth-ac runuser-l smtp sshd sudo-i chsh fingerprint-auth-ac other remote screen smtp.postfix su system-auth config-util login passwd run_init smartcard-auth squid su-l system-auth-ac crond newrole password-auth runuser smartcard-auth-ac ssh-keycat sudo vsftpd

Try pamtester to authenticate alice using login service :

# pamtester login alice authenticate
Password: 123456
pamtester: successfully authenticated

Now we need to create a new pam service used for our openvpn server :

# vim /etc/pam.d/openvpn
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

Try authenticate alice again, this time use openvpn service :

# pamtester openvpn alice authenticate
Password & verification code: 123456 + [6 digits one time password]
pamtester: successfully authenticated

So the google libpam module has worked properly. Alice now can be authenticated with OTP password.

Notice : Make sure that the server date time is correct, this cause the time-based one time password working properly or not.

To update the server date time using ntp :

# ntpdate pool.ntp.org

6. Intergrate google libpam module with OpenVPN server :

OpenVPN package installed with a sample auth script written in Perl name auth-pam.pl, we will need to use this script to call openvpn pam service.

Copy the script to openvpn config dir :

# cp /usr/share/doc/openvpn-2.3.4/sample/sample-scripts/auth-pam.pl /etc/openvpn/ 

Make sure the script can be executed :

# chmod 755 /etc/openvpn/auth-pam.pl

This script depends on perl-authen-pam module :

# yum install perl-Authen-PAM

By default, the auth-pam.pl script will call pam login service, so we need to change from login to openvpn service :

# vim /etc/openvpn/auth-pam.pl
... ... ...
# Identify service type to PAM
$service = "openvpn";
... ... ...

Append the new config to openvpn.conf using auth-pam.pl :

# vim /etc/openvpn/openvpn.conf
... ... ...
auth-user-pass-verify auth-pam.pl via-file
script-security 2

Restart the service for applying :

# /etc/init.d/openvpn restart

7. Connect from client (Alice)

Alice need to append auth-user-pass directive to her alice.ovpn in order to provide username / password when connecting.

# vim alice.ovpn :
... ... ...
auth-user-pass

Connecting from linux client :

# openvpn --config alice.ovpn

Enter Auth Username: alice
Enter Auth Password: 123456 + [6 digits one time password]
... ... ...
Mon Sep  1 12:14:05 2014 [vpn.tipstuff.org] Peer Connection Initiated with [AF_INET]192.168.1.16:443
Mon Sep  1 12:14:08 2014 TUN/TAP device tun0 opened
Mon Sep  1 12:14:08 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Sep  1 12:14:08 2014 /sbin/ip link set dev tun0 up mtu 1500
Mon Sep  1 12:14:08 2014 /sbin/ip addr add dev tun0 local 10.0.0.6 peer 10.0.0.5
Mon Sep  1 12:14:08 2014 Initialization Sequence Completed

Alice has successfully connected to vpn server by using client certificate and one time password with google authenticator as software token.

That's it.