rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-22 00:54:30 +01:00
Code Issues Projects Releases Wiki Activity

Update YubiKey_and_OpenVPN_via_PAM.adoc

Browse Source
This commit is contained in:
Henrik Stråth 2014-10-29 16:57:27 +01:00
parent ccaa679f48
commit 1058a07eee
1 changed files with 20 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
doc/YubiKey_and_OpenVPN_via_PAM.adoc
View File

@ -9,13 +9,14 @@ Prerequisites
Successful configuration of the Yubico PAM module to support two factor authentication for OpenVPN has the following prerequisites: Successful configuration of the Yubico PAM module to support two factor authentication for OpenVPN has the following prerequisites:
* Operating System: Any Unix operating system which supports PAM (Pluggable Authentication Module) Operating System::
(http://www.kernel.org/pub/linux/libs/pam/) Any Unix operating system which supports
* Complier : GNU GCC complier (http://gcc.gnu.org/) http://www.kernel.org/pub/linux/libs/pam[PAM] (Pluggable Authentication Module)
* Yubico PAM Module: Yubico PAM Module Version 1.8. (https://developers.yubico.com/yubico-pam/) Complier:: http://gcc.gnu.org[GNU GCC complier]
* OpenVPN: OpenVPN Version 2.0.9. (http://openvpn.net/index.php/downloads.html) https://developers.yubico.com/yubico-pam[Yubico PAM Module]:: Version 1.8
* FreeRADIUS: FreeRADIUS Version: 1.1.7 or later. (http://freeradius.org/download.html) http://openvpn.net/index.php/downloads.html[OpenVPN]:: Version 2.0.9.
* Pam_Radius: pam_radius Version 1.3.17. (ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz) http://freeradius.org/download.html[FreeRADIUS]: Version 1.1.7 or later.
Pam_Radius:: ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz[Version 1.3.17].
Configuration Configuration
------------- -------------
@ -26,8 +27,8 @@ A) OpenVPN Configuration without FreeRADIUS support:
In this mode of configuration, OpenVPN server will be authenticating users In this mode of configuration, OpenVPN server will be authenticating users
by verifying username and users password against system password file by verifying username and users password against system password file
“/etc/passwd” and verifying OTP (one time password generated from YubiKey) `/etc/passwd` and verifying OTP (one time password generated from YubiKey)
against Yubicos OTP validation server. against Yubico's OTP validation server.
We assume that OpenVPN server is already installed on the server. We assume that OpenVPN server is already installed on the server.
@ -39,9 +40,9 @@ a) Configuration of OpenVPN server to support PAM authentication:
and password authentication: and password authentication:
------ ------
plugin <Absolute path of “openvpn-auth-pam.so” file> <PAM configuration file name for OpenVPN plugin <Absolute path of “openvpn-auth-pam.so” file> <PAM configuration file name for OpenVPN
client-cert-not-required client-cert-not-required
username-as-common-name username-as-common-name
------ ------
(For e.g.: plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn) (For e.g.: plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn)
@ -57,9 +58,7 @@ a) Configuration of OpenVPN server to support PAM authentication:
b) Installation of pam_yubico module: b) Installation of pam_yubico module:
------------------------------------- -------------------------------------
Build instructions for pam_yubico are available in the README: Build instructions for pam_yubico are available in its README.
https://github.com/Yubico/yubico-pam/wiki/ReadMe
c) Configuration of pam_yubico module: c) Configuration of pam_yubico module:
-------------------------------------- --------------------------------------
@ -110,9 +109,8 @@ Configuration of modified pam_yubico.so module at administrative level:
----------------------------------------------------------------------- -----------------------------------------------------------------------
Append the following line to the beginning of /etc/pam.d/radiusd file: Append the following line to the beginning of /etc/pam.d/radiusd file:
------
auth required pam_yubico.so id=16 debug authfile=/path/to/mapping/file auth required pam_yubico.so id=16 debug authfile=/path/to/mapping/file
------
After the above configuration changes, whenever a user connects to the After the above configuration changes, whenever a user connects to the
server using any RADIUS client, the PAM authentication interface will server using any RADIUS client, the PAM authentication interface will
@ -192,7 +190,7 @@ accordingly.
Please use the following command for testing: Please use the following command for testing:
------ ------
[root@testsrv ~]# openvpn /etc/openvpn/client.conf [root@testsrv ~]# openvpn /etc/openvpn/client.conf
------ ------
OpenVPN client will first prompt for username, enter the username. OpenVPN client will first prompt for username, enter the username.
@ -241,9 +239,9 @@ in “/etc/openvpn/server.conf “ along with “plugin” directive) and copy
contents to the file: contents to the file:
------ ------
account required pam_radius_auth.so account required pam_radius_auth.so
account required pam_radius_auth.so account required pam_radius_auth.so
auth required pam_radius_auth.so no_warn try_first_pass auth required pam_radius_auth.so no_warn try_first_pass
------ ------
* Create a file “/etc/raddb/server” to configure FreeRADIUS server that is * Create a file “/etc/raddb/server” to configure FreeRADIUS server that is