rooty/yubico-pam
1
0
Fork 0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-03-16 03:29:17 +01:00
Code Issues Projects Releases Wiki Activity

Update YubiKey_and_OpenVPN_via_PAM.adoc

Browse Source
This commit is contained in:
Henrik Stråth 2014-10-29 17:15:58 +01:00
parent aed5e4e3c9
commit 5c0c5d7d5a
1 changed files with 16 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
doc/YubiKey_and_OpenVPN_via_PAM.adoc
View File

@ -1,11 +1,9 @@
Introduction == Introduction
------------
The purpose of this document is to guide readers through the configuration steps to use two factor authentication for OpenVPN using YubiKey. This document assumes that the reader has advanced knowledge and experience in Linux system administration, particularly for how PAM authentication mechanism is configured on a Linux platform. The purpose of this document is to guide readers through the configuration steps to use two factor authentication for OpenVPN using YubiKey. This document assumes that the reader has advanced knowledge and experience in Linux system administration, particularly for how PAM authentication mechanism is configured on a Linux platform.
Prerequisites == Prerequisites
-------------
Successful configuration of the Yubico PAM module to support two factor authentication for OpenVPN has the following prerequisites: Successful configuration of the Yubico PAM module to support two factor authentication for OpenVPN has the following prerequisites:
@ -18,12 +16,11 @@ http://openvpn.net/index.php/downloads.html[OpenVPN]:: Version 2.0.9.
http://freeradius.org/download.html[FreeRADIUS]: Version 1.1.7 or later. http://freeradius.org/download.html[FreeRADIUS]: Version 1.1.7 or later.
Pam_Radius:: ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz[Version 1.3.17]. Pam_Radius:: ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz[Version 1.3.17].
Configuration == Configuration
-------------
There are two ways OpenVPN can be configured to support two factor authentication with YubiKey. There are two ways OpenVPN can be configured to support two factor authentication with YubiKey.
A) OpenVPN Configuration without FreeRADIUS support: === OpenVPN Configuration without FreeRADIUS support:
----------------------------------------------------
In this mode of configuration, OpenVPN server will be authenticating users In this mode of configuration, OpenVPN server will be authenticating users
by verifying username and users password against system password file by verifying username and users password against system password file
@ -32,8 +29,7 @@ against Yubico's OTP validation server.
We assume that OpenVPN server is already installed on the server. We assume that OpenVPN server is already installed on the server.
a) Configuration of OpenVPN server to support PAM authentication: ==== Configuration of OpenVPN server to support PAM authentication:
-----------------------------------------------------------------
* Edit the OpenVPN server configuration file `/etc/openvpn/server.conf` * Edit the OpenVPN server configuration file `/etc/openvpn/server.conf`
to add the following three lines to enable PAM modules for username to add the following three lines to enable PAM modules for username
@ -55,21 +51,18 @@ username-as-common-name
auth-user-pass auth-user-pass
b) Installation of pam_yubico module: ==== Installation of pam_yubico module:
-------------------------------------
Build instructions for pam_yubico are available in its README. Build instructions for pam_yubico are available in its README.
c) Configuration of pam_yubico module: ==== Configuration of pam_yubico module:
--------------------------------------
*) Configuration for user and YubiKey PublicID mapping *) Configuration for user and YubiKey PublicID mapping
There are two ways of user and YubiKey PublicID (token ID) mapping. There are two ways of user and YubiKey PublicID (token ID) mapping.
It can be either done at administrative level or at individual user level. It can be either done at administrative level or at individual user level.
Administrative Level ===== Administrative Level
--------------------
In Administrative level, system administrators hold right to configure In Administrative level, system administrators hold right to configure
the user and YubiKey PublicID mapping. Administrators can achieve this the user and YubiKey PublicID mapping. Administrators can achieve this
@ -105,8 +98,7 @@ The mapping file must be created/updated manually before configuration
of Yubico PAM module for OpenVPN authentication. of Yubico PAM module for OpenVPN authentication.
Configuration of modified pam_yubico.so module at administrative level: ====== Configuration of modified pam_yubico.so module at administrative level:
-----------------------------------------------------------------------
Append the following line to the beginning of /etc/pam.d/radiusd file: Append the following line to the beginning of /etc/pam.d/radiusd file:
@ -129,23 +121,20 @@ After successful verification of OTP Yubico PAM module from the Yubico
authentication server, a success code is returned. authentication server, a success code is returned.
User Level: ===== User Level
-----------
Although, user level configuration of pam_yubico is possible, this might Although, user level configuration of pam_yubico is possible, this might
not be a desired configuration option in case of OpenVPN daemon in most not be a desired configuration option in case of OpenVPN daemon in most
enterprise. enterprise.
ii) Configuration of PAM modules for OpenVPN: ii) Configuration of PAM modules for OpenVPN:
---------------------------------------------
To configure PAM modules for OpenVPN, create a file named To configure PAM modules for OpenVPN, create a file named
`/etc/pam.d/openvpn` (file name must be one which is specified `/etc/pam.d/openvpn` (file name must be one which is specified
in `/etc/openvpn/server.conf` along with 'plugin' directive) in `/etc/openvpn/server.conf` along with 'plugin' directive)
and list all the PAM modules in this files accordingly. and list all the PAM modules in this files accordingly.
d) Test Setup: ==== Test Setup
--------------
Our test environment is as follows: Our test environment is as follows:
@ -166,8 +155,7 @@ password include system-auth
session include system-auth session include system-auth
------ ------
e) Testing the configuration: ==== Testing the configuration
-----------------------------
We have tested the pam_yubico configuration on following Linux sever platforms: We have tested the pam_yubico configuration on following Linux sever platforms:
@ -213,8 +201,7 @@ follows instead of starting it using `init.d` script:
We can configure OpenVPN server demon to start at boot time by We can configure OpenVPN server demon to start at boot time by
copying the above command in `/etc/rc.local` file. copying the above command in `/etc/rc.local` file.
B) OpenVPN Configuration with FreeRADIUS support: === OpenVPN Configuration with FreeRADIUS support
-------------------------------------------------
In this type of configuration, the OpenVPN server will be using In this type of configuration, the OpenVPN server will be using
FreeRADIUS server for authenticating users. FreeRADIUS server will FreeRADIUS server for authenticating users. FreeRADIUS server will
@ -263,8 +250,7 @@ freeradius.example.com Admin456
We can configure failover support for RADIUS server by creating additional We can configure failover support for RADIUS server by creating additional
RADIUS server entries per line of “/etc/raddb/server” file. RADIUS server entries per line of “/etc/raddb/server” file.
A) Test Setup: ==== Test Setup
--------------
Our test environment is as follows: Our test environment is as follows:
@ -280,8 +266,7 @@ account required pam_radius_auth.so
auth required pam_radius_auth.so no_warn try_first_pass auth required pam_radius_auth.so no_warn try_first_pass
------ ------
B) Testing the configuration: ==== Testing the configuration
-----------------------------
We have tested the pam_yubico configuration on following Linux sever platforms: We have tested the pam_yubico configuration on following Linux sever platforms: