rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-20 21:54:16 +01:00
Code Issues Projects Releases Wiki Activity

Update YubiKey_and_OpenVPN_via_PAM.adoc

Browse Source
This commit is contained in:
Henrik Stråth 2014-10-29 16:57:27 +01:00
parent ccaa679f48
commit 1058a07eee
1 changed files with 20 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
doc/YubiKey_and_OpenVPN_via_PAM.adoc
View File

@ -9,13 +9,14 @@ Prerequisites
Successful configuration of the Yubico PAM module to support two factor authentication for OpenVPN has the following prerequisites:
* Operating System: Any Unix operating system which supports PAM (Pluggable Authentication Module)
(http://www.kernel.org/pub/linux/libs/pam/)
* Complier : GNU GCC complier (http://gcc.gnu.org/)
* Yubico PAM Module: Yubico PAM Module Version 1.8. (https://developers.yubico.com/yubico-pam/)
* OpenVPN: OpenVPN Version 2.0.9. (http://openvpn.net/index.php/downloads.html)
* FreeRADIUS: FreeRADIUS Version: 1.1.7 or later. (http://freeradius.org/download.html)
* Pam_Radius: pam_radius Version 1.3.17. (ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz)
Operating System::
Any Unix operating system which supports
http://www.kernel.org/pub/linux/libs/pam[PAM] (Pluggable Authentication Module)
Complier:: http://gcc.gnu.org[GNU GCC complier]
https://developers.yubico.com/yubico-pam[Yubico PAM Module]:: Version 1.8
http://openvpn.net/index.php/downloads.html[OpenVPN]:: Version 2.0.9.
http://freeradius.org/download.html[FreeRADIUS]: Version 1.1.7 or later.
Pam_Radius:: ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz[Version 1.3.17].
Configuration
-------------
@ -26,8 +27,8 @@ A) OpenVPN Configuration without FreeRADIUS support:
In this mode of configuration, OpenVPN server will be authenticating users
by verifying username and users password against system password file
“/etc/passwd” and verifying OTP (one time password generated from YubiKey)
against Yubicos OTP validation server.
`/etc/passwd` and verifying OTP (one time password generated from YubiKey)
against Yubico's OTP validation server.
We assume that OpenVPN server is already installed on the server.
@ -39,9 +40,9 @@ a) Configuration of OpenVPN server to support PAM authentication:
and password authentication:
------
plugin <Absolute path of “openvpn-auth-pam.so” file> <PAM configuration file name for OpenVPN
client-cert-not-required
username-as-common-name
plugin <Absolute path of “openvpn-auth-pam.so” file> <PAM configuration file name for OpenVPN
client-cert-not-required
username-as-common-name
------
(For e.g.: plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn)
@ -57,9 +58,7 @@ a) Configuration of OpenVPN server to support PAM authentication:
b) Installation of pam_yubico module:
-------------------------------------
Build instructions for pam_yubico are available in the README:
https://github.com/Yubico/yubico-pam/wiki/ReadMe
Build instructions for pam_yubico are available in its README.
c) Configuration of pam_yubico module:
--------------------------------------
@ -110,9 +109,8 @@ Configuration of modified pam_yubico.so module at administrative level:
-----------------------------------------------------------------------
Append the following line to the beginning of /etc/pam.d/radiusd file:
------
auth required pam_yubico.so id=16 debug authfile=/path/to/mapping/file
------
auth required pam_yubico.so id=16 debug authfile=/path/to/mapping/file
After the above configuration changes, whenever a user connects to the
server using any RADIUS client, the PAM authentication interface will
@ -192,7 +190,7 @@ accordingly.
Please use the following command for testing:
------
[root@testsrv ~]# openvpn /etc/openvpn/client.conf
[root@testsrv ~]# openvpn /etc/openvpn/client.conf
------
OpenVPN client will first prompt for username, enter the username.
@ -241,9 +239,9 @@ in “/etc/openvpn/server.conf “ along with “plugin” directive) and copy
contents to the file:
------
account required pam_radius_auth.so
account required pam_radius_auth.so
auth required pam_radius_auth.so no_warn try_first_pass
account required pam_radius_auth.so
account required pam_radius_auth.so
auth required pam_radius_auth.so no_warn try_first_pass
------
* Create a file “/etc/raddb/server” to configure FreeRADIUS server that is