1
0
mirror of https://github.com/Yubico/yubico-pam.git synced 2025-02-20 21:54:16 +01:00

Update YubiKey_and_OpenVPN_via_PAM.adoc

This commit is contained in:
Henrik Stråth 2014-10-29 17:00:37 +01:00
parent 1058a07eee
commit da37585a26

View File

@ -35,7 +35,7 @@ We assume that OpenVPN server is already installed on the server.
a) Configuration of OpenVPN server to support PAM authentication:
-----------------------------------------------------------------
* Edit the OpenVPN server configuration file “/etc/openvpn/server.conf”
* Edit the OpenVPN server configuration file `/etc/openvpn/server.conf`
to add the following three lines to enable PAM modules for username
and password authentication:
@ -48,7 +48,7 @@ username-as-common-name
(For e.g.: plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn)
* Edit the OpenVPN client configuration file “/etc/openvpn/client.conf” to
* Edit the OpenVPN client configuration file `/etc/openvpn/client.conf` to
add following line to configure OpenVPN client for prompting username and
password:
@ -85,7 +85,7 @@ supported by this file. However, presently there is no logic coded to
detect or prevent use of same YubiKey ID for multiple users.
Each record in the file should begin on a new line. The parameters in
each record are separated by “:” character similar to /etc/passwd.
each record are separated by `:` character similar to `/etc/passwd`.
The contents of this file are as follows:
@ -140,8 +140,8 @@ ii) Configuration of PAM modules for OpenVPN:
---------------------------------------------
To configure PAM modules for OpenVPN, create a file named
“/etc/pam.d/openvpn” (file name must be one which is specified
in “/etc/openvpn/server.conf“ along with “plugin” directive)
`/etc/pam.d/openvpn` (file name must be one which is specified
in `/etc/openvpn/server.conf` along with 'plugin' directive)
and list all the PAM modules in this files accordingly.
d) Test Setup:
@ -155,7 +155,7 @@ ii) OpenVPN Server : OpenVPN Version 2.0.9
iii) Yubico PAM: pam_yubico Version 1.8
iv) "/etc/pam.d/openvpn" file:
iv) `/etc/pam.d/openvpn` file:
------
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
@ -199,19 +199,19 @@ immediately followed by an OTP generated by a YubiKey.
If OpenVPN server is configured for supporting PAM authentication, it
will verify user authentication details even at the startup of OpenVPN
server demon, when it is started using “init.d” script or it is
server demon, when it is started using `init.d` script or it is
configured to start at boot time.
To avoid prompting of username and password at the startup of OpenVPN
server demon, we can start OpenVPN Server demon at command line as
follows instead of starting it using “init.d” script:
follows instead of starting it using `init.d` script:
------
[root@testsrv ~]# /usr/sbin/openvpn --config /etc/openvpn/server.conf --daemon openvpn
------
We can configure OpenVPN server demon to start at boot time by
copying the above command in /etc/rc.local file.
copying the above command in `/etc/rc.local` file.
B) OpenVPN Configuration with FreeRADIUS support:
-------------------------------------------------
@ -220,7 +220,7 @@ In this type of configuration, the OpenVPN server will be using
FreeRADIUS server for authenticating users. FreeRADIUS server will
be verifying the authentication information received from OpenVPN
server by verifying the username and users password against system
password file “/etc/passwd” (or by other means supported by FreeRADIUS)
password file `/etc/passwd` (or by other means supported by FreeRADIUS)
and verifying the OTP (one time password) generated by a YubiKey
with the Yubicos OTP validation server.
@ -234,8 +234,8 @@ https://github.com/Yubico/yubico-pam/wiki/YubiKeyAndFreeRADIUSviaPAM
* Install and configure pam_radius_auth.so and copy it to /lib/security directory
* Create a file “/etc/pam.d/openvpn” (file name must be the one which is specified
in “/etc/openvpn/server.conf “ along with “plugin” directive) and copy the following
* Create a file `/etc/pam.d/openvpn` (file name must be the one which is specified
in `/etc/openvpn/server.conf` along with 'plugin' directive) and copy the following
contents to the file:
------
@ -244,7 +244,7 @@ account required pam_radius_auth.so
auth required pam_radius_auth.so no_warn try_first_pass
------
* Create a file “/etc/raddb/server” to configure FreeRADIUS server that is
* Create a file `/etc/raddb/server` to configure FreeRADIUS server that is
used by pam_radius_auth PAM module. The content for the file is as follows:
------