<< Back to part 3 <<
5. Testing with pamtester :
We will need a tool named pamtester to debug when working with pam modules.
# yum install pamtester
# ls /etc/pam.d/
chfn fingerprint-auth password-auth-ac runuser-l smtp sshd sudo-i chsh fingerprint-auth-ac other remote screen smtp.postfix su system-auth config-util login passwd run_init smartcard-auth squid su-l system-auth-ac crond newrole password-auth runuser smartcard-auth-ac ssh-keycat sudo vsftpd
Try pamtester to authenticate alice using login service :
# pamtester login alice authenticate
Password: 123456
pamtester: successfully authenticated
Now we need to create a new pam service used for our openvpn server :
# vim /etc/pam.d/openvpn
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
Try authenticate alice again, this time use openvpn service :
# pamtester openvpn alice authenticate
Password & verification code: 123456 + [6 digits one time password]
pamtester: successfully authenticated
So the google libpam module has worked properly. Alice now can be authenticated with OTP password.
Notice : Make sure that the server date time is correct, this cause the time-based one time password working properly or not.
To update the server date time using ntp :
# ntpdate pool.ntp.org
6. Intergrate google libpam module with OpenVPN server :
OpenVPN package installed with a sample auth script written in Perl name auth-pam.pl, we will need to use this script to call openvpn pam service.
Copy the script to openvpn config dir :
# cp /usr/share/doc/openvpn-2.3.4/sample/sample-scripts/auth-pam.pl /etc/openvpn/
Make sure the script can be executed :
# chmod 755 /etc/openvpn/auth-pam.pl
This script depends on perl-authen-pam module :
# yum install perl-Authen-PAM
By default, the auth-pam.pl script will call pam login service, so we need to change from login to openvpn service :
# vim /etc/openvpn/auth-pam.pl
... ... ...
# Identify service type to PAM
$service = "openvpn";
... ... ...
Append the new config to openvpn.conf using auth-pam.pl :
# vim /etc/openvpn/openvpn.conf
... ... ...
auth-user-pass-verify auth-pam.pl via-file
script-security 2
Restart the service for applying :
# /etc/init.d/openvpn restart
7. Connect from client (Alice)
Alice need to append auth-user-pass directive to her alice.ovpn in order to provide username / password when connecting.
# vim alice.ovpn :
... ... ...
auth-user-pass
Connecting from linux client :
# openvpn --config alice.ovpn
Enter Auth Username: alice
Enter Auth Password: 123456 + [6 digits one time password]
... ... ...
Mon Sep 1 12:14:05 2014 [vpn.tipstuff.org] Peer Connection Initiated with [AF_INET]192.168.1.16:443
Mon Sep 1 12:14:08 2014 TUN/TAP device tun0 opened
Mon Sep 1 12:14:08 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Sep 1 12:14:08 2014 /sbin/ip link set dev tun0 up mtu 1500
Mon Sep 1 12:14:08 2014 /sbin/ip addr add dev tun0 local 10.0.0.6 peer 10.0.0.5
Mon Sep 1 12:14:08 2014 Initialization Sequence Completed
Alice has successfully connected to vpn server by using client certificate and one time password with google authenticator as software token.
That's it.
No comments:
Post a comment