mirror of
https://github.com/Yubico/yubico-pam.git
synced 2025-02-20 21:54:16 +01:00
Update YubiKey_and_OpenVPN_via_PAM.adoc
This commit is contained in:
Henrik Stråth
parent
1058a07eee
commit
da37585a26
@ -35,7 +35,7 @@ We assume that OpenVPN server is already installed on the server.
|
||||
a) Configuration of OpenVPN server to support PAM authentication:
|
||||
-----------------------------------------------------------------
|
||||
|
||||
* Edit the OpenVPN server configuration file “/etc/openvpn/server.conf”
|
||||
* Edit the OpenVPN server configuration file `/etc/openvpn/server.conf`
|
||||
to add the following three lines to enable PAM modules for username
|
||||
and password authentication:
|
||||
|
||||
@ -48,7 +48,7 @@ username-as-common-name
|
||||
(For e.g.: plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn)
|
||||
|
||||
|
||||
* Edit the OpenVPN client configuration file “/etc/openvpn/client.conf” to
|
||||
* Edit the OpenVPN client configuration file `/etc/openvpn/client.conf` to
|
||||
add following line to configure OpenVPN client for prompting username and
|
||||
password:
|
||||
|
||||
@ -85,7 +85,7 @@ supported by this file. However, presently there is no logic coded to
|
||||
detect or prevent use of same YubiKey ID for multiple users.
|
||||
|
||||
Each record in the file should begin on a new line. The parameters in
|
||||
each record are separated by “:” character similar to /etc/passwd.
|
||||
each record are separated by `:` character similar to `/etc/passwd`.
|
||||
|
||||
The contents of this file are as follows:
|
||||
|
||||
@ -140,8 +140,8 @@ ii) Configuration of PAM modules for OpenVPN:
|
||||
---------------------------------------------
|
||||
|
||||
To configure PAM modules for OpenVPN, create a file named
|
||||
“/etc/pam.d/openvpn” (file name must be one which is specified
|
||||
in “/etc/openvpn/server.conf“ along with “plugin” directive)
|
||||
`/etc/pam.d/openvpn` (file name must be one which is specified
|
||||
in `/etc/openvpn/server.conf` along with 'plugin' directive)
|
||||
and list all the PAM modules in this files accordingly.
|
||||
|
||||
d) Test Setup:
|
||||
@ -155,7 +155,7 @@ ii) OpenVPN Server : OpenVPN Version 2.0.9
|
||||
|
||||
iii) Yubico PAM: pam_yubico Version 1.8
|
||||
|
||||
iv) "/etc/pam.d/openvpn" file:
|
||||
iv) `/etc/pam.d/openvpn` file:
|
||||
|
||||
------
|
||||
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
|
||||
@ -199,19 +199,19 @@ immediately followed by an OTP generated by a YubiKey.
|
||||
|
||||
If OpenVPN server is configured for supporting PAM authentication, it
|
||||
will verify user authentication details even at the startup of OpenVPN
|
||||
server demon, when it is started using “init.d” script or it is
|
||||
server demon, when it is started using `init.d` script or it is
|
||||
configured to start at boot time.
|
||||
|
||||
To avoid prompting of username and password at the startup of OpenVPN
|
||||
server demon, we can start OpenVPN Server demon at command line as
|
||||
follows instead of starting it using “init.d” script:
|
||||
follows instead of starting it using `init.d` script:
|
||||
|
||||
------
|
||||
[root@testsrv ~]# /usr/sbin/openvpn --config /etc/openvpn/server.conf --daemon openvpn
|
||||
------
|
||||
|
||||
We can configure OpenVPN server demon to start at boot time by
|
||||
copying the above command in /etc/rc.local file.
|
||||
copying the above command in `/etc/rc.local` file.
|
||||
|
||||
B) OpenVPN Configuration with FreeRADIUS support:
|
||||
-------------------------------------------------
|
||||
@ -220,7 +220,7 @@ In this type of configuration, the OpenVPN server will be using
|
||||
FreeRADIUS server for authenticating users. FreeRADIUS server will
|
||||
be verifying the authentication information received from OpenVPN
|
||||
server by verifying the username and user’s password against system
|
||||
password file “/etc/passwd” (or by other means supported by FreeRADIUS)
|
||||
password file `/etc/passwd` (or by other means supported by FreeRADIUS)
|
||||
and verifying the OTP (one time password) generated by a YubiKey
|
||||
with the Yubico’s OTP validation server.
|
||||
|
||||
@ -234,8 +234,8 @@ https://github.com/Yubico/yubico-pam/wiki/YubiKeyAndFreeRADIUSviaPAM
|
||||
|
||||
* Install and configure pam_radius_auth.so and copy it to /lib/security directory
|
||||
|
||||
* Create a file “/etc/pam.d/openvpn” (file name must be the one which is specified
|
||||
in “/etc/openvpn/server.conf “ along with “plugin” directive) and copy the following
|
||||
* Create a file `/etc/pam.d/openvpn` (file name must be the one which is specified
|
||||
in `/etc/openvpn/server.conf` along with 'plugin' directive) and copy the following
|
||||
contents to the file:
|
||||
|
||||
------
|
||||
@ -244,7 +244,7 @@ account required pam_radius_auth.so
|
||||
auth required pam_radius_auth.so no_warn try_first_pass
|
||||
------
|
||||
|
||||
* Create a file “/etc/raddb/server” to configure FreeRADIUS server that is
|
||||
* Create a file `/etc/raddb/server` to configure FreeRADIUS server that is
|
||||
used by pam_radius_auth PAM module. The content for the file is as follows:
|
||||
|
||||
------
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user