Yeah, I found some of this info upon some additional google searching, it's
unfortunate. Is there any way to support simply appending the OTP onto the
password - I know it used to work this way for SSH in previous C7 versions
- can straight LDAP binds validate the OTP, or am I stuck with trying to
figure out how to make Radius work if I want this. I'm pretty new to using
2FA in FreeIPA, so I'm not sure what is available.
Jeremy
On Wed, Oct 18, 2017 at 3:21 PM, Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
On Wed, 18 Oct 2017, Jeremy Utley via FreeIPA-users wrote:
> Hello all!
>
> In the process of changing to a FreeIPA based authentication system for a
> part of our network. FreeIPA is set up, working beautifully for most
> things already. Right now, we're trying to convert our old jump hosts
> from
> C6+OpenLDAP+Vasco OTP devices to a new C7+FreeIPA+Yubikey setup. The way
> this setup currently works is that the user creates a VPN connection to
> the
> jump host (using OpenVPN and static VPN keys), logs into the jump via SSH
> over the VPN tunnel with the Vasco OTP password, then can move from there
> to other machines on the network with only password.
>
> As part of the transition to the new setup, I wanted to change to having
> OpenVPN authenticate against FreeIPA using the openvpn pam plugin. This
> was working fine when using just passwords, OpenVPN prompted for the
> Username and Password and connected, so the basic idea seems to work. But
> as soon as I enabled the first user with the Yubikey 2FA, the OpenVPN
> server will no longer authenticate him when using Password+Yubikey value.
> However, that user can authenticate to the FreeIPA web interface
> successfully with the Yubikey, as well as SSH to the machine running
> Openvpn (tested by using the old setup and jumping to the new hosts).
>
> As I understand it, using the OpenVPN PAM module should allow it to auth
> just like SSH does, so I'm puzzled why this is failing as it does. I
> created the OpenVPN PAM configuration file by copying /etc/pam.d/login to
> /etc/pam.d/openvpn, as well as adding the new openvpn service to FreeIPA
> and granting the user access to it (of course, as the user is allowed to
> connect when OTP is not enabled).
>
> Has anyone done a similar setup before, and have any ideas where I went
> wrong? I'd like to have this working for added security on our VPN
> connections.
>
OpenVPN's pam authentication plugin does not properly implement support
for multiple prompts which pam_sss produces in case of 2FA. It only
supports single password request. See code in
https://github.com/OpenVPN/openvpn/blob/master/src/plugins/
auth-pam/auth-pam.c#L509
SSSD has support for for such behavior in sshd but the service name is
literally hard-coded.
https://pagure.io/SSSD/sssd/blob/master/f/src/sss_client/pam_sss.c#_1413
There are tickets to track the latter part in SSSD:
https://pagure.io/SSSD/sssd/issue/3438 and
https://pagure.io/SSSD/sssd/issue/3264. Patches are welcome.
As to openvpn itself, there is a little problem that afaik openvpn
doesn't have a mechanism to negotiate multiple prompts with its client.
--
/ Alexander Bokovoy