mirror of
https://github.com/Yubico/yubico-pam.git
synced 2025-02-22 00:54:30 +01:00
Update YubiKey_and_OpenVPN_via_PAM.adoc
This commit is contained in:
Henrik Stråth
parent
1058a07eee
commit
da37585a26
@ -35,7 +35,7 @@ We assume that OpenVPN server is already installed on the server.
|
|||||||
a) Configuration of OpenVPN server to support PAM authentication:
|
a) Configuration of OpenVPN server to support PAM authentication:
|
||||||
-----------------------------------------------------------------
|
-----------------------------------------------------------------
|
||||||
|
|
||||||
* Edit the OpenVPN server configuration file “/etc/openvpn/server.conf”
|
* Edit the OpenVPN server configuration file `/etc/openvpn/server.conf`
|
||||||
to add the following three lines to enable PAM modules for username
|
to add the following three lines to enable PAM modules for username
|
||||||
and password authentication:
|
and password authentication:
|
||||||
|
|
||||||
@ -48,7 +48,7 @@ username-as-common-name
|
|||||||
(For e.g.: plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn)
|
(For e.g.: plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn)
|
||||||
|
|
||||||
|
|
||||||
* Edit the OpenVPN client configuration file “/etc/openvpn/client.conf” to
|
* Edit the OpenVPN client configuration file `/etc/openvpn/client.conf` to
|
||||||
add following line to configure OpenVPN client for prompting username and
|
add following line to configure OpenVPN client for prompting username and
|
||||||
password:
|
password:
|
||||||
|
|
||||||
@ -85,7 +85,7 @@ supported by this file. However, presently there is no logic coded to
|
|||||||
detect or prevent use of same YubiKey ID for multiple users.
|
detect or prevent use of same YubiKey ID for multiple users.
|
||||||
|
|
||||||
Each record in the file should begin on a new line. The parameters in
|
Each record in the file should begin on a new line. The parameters in
|
||||||
each record are separated by “:” character similar to /etc/passwd.
|
each record are separated by `:` character similar to `/etc/passwd`.
|
||||||
|
|
||||||
The contents of this file are as follows:
|
The contents of this file are as follows:
|
||||||
|
|
||||||
@ -140,8 +140,8 @@ ii) Configuration of PAM modules for OpenVPN:
|
|||||||
---------------------------------------------
|
---------------------------------------------
|
||||||
|
|
||||||
To configure PAM modules for OpenVPN, create a file named
|
To configure PAM modules for OpenVPN, create a file named
|
||||||
“/etc/pam.d/openvpn” (file name must be one which is specified
|
`/etc/pam.d/openvpn` (file name must be one which is specified
|
||||||
in “/etc/openvpn/server.conf“ along with “plugin” directive)
|
in `/etc/openvpn/server.conf` along with 'plugin' directive)
|
||||||
and list all the PAM modules in this files accordingly.
|
and list all the PAM modules in this files accordingly.
|
||||||
|
|
||||||
d) Test Setup:
|
d) Test Setup:
|
||||||
@ -155,7 +155,7 @@ ii) OpenVPN Server : OpenVPN Version 2.0.9
|
|||||||
|
|
||||||
iii) Yubico PAM: pam_yubico Version 1.8
|
iii) Yubico PAM: pam_yubico Version 1.8
|
||||||
|
|
||||||
iv) "/etc/pam.d/openvpn" file:
|
iv) `/etc/pam.d/openvpn` file:
|
||||||
|
|
||||||
------
|
------
|
||||||
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
|
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
|
||||||
@ -199,19 +199,19 @@ immediately followed by an OTP generated by a YubiKey.
|
|||||||
|
|
||||||
If OpenVPN server is configured for supporting PAM authentication, it
|
If OpenVPN server is configured for supporting PAM authentication, it
|
||||||
will verify user authentication details even at the startup of OpenVPN
|
will verify user authentication details even at the startup of OpenVPN
|
||||||
server demon, when it is started using “init.d” script or it is
|
server demon, when it is started using `init.d` script or it is
|
||||||
configured to start at boot time.
|
configured to start at boot time.
|
||||||
|
|
||||||
To avoid prompting of username and password at the startup of OpenVPN
|
To avoid prompting of username and password at the startup of OpenVPN
|
||||||
server demon, we can start OpenVPN Server demon at command line as
|
server demon, we can start OpenVPN Server demon at command line as
|
||||||
follows instead of starting it using “init.d” script:
|
follows instead of starting it using `init.d` script:
|
||||||
|
|
||||||
------
|
------
|
||||||
[root@testsrv ~]# /usr/sbin/openvpn --config /etc/openvpn/server.conf --daemon openvpn
|
[root@testsrv ~]# /usr/sbin/openvpn --config /etc/openvpn/server.conf --daemon openvpn
|
||||||
------
|
------
|
||||||
|
|
||||||
We can configure OpenVPN server demon to start at boot time by
|
We can configure OpenVPN server demon to start at boot time by
|
||||||
copying the above command in /etc/rc.local file.
|
copying the above command in `/etc/rc.local` file.
|
||||||
|
|
||||||
B) OpenVPN Configuration with FreeRADIUS support:
|
B) OpenVPN Configuration with FreeRADIUS support:
|
||||||
-------------------------------------------------
|
-------------------------------------------------
|
||||||
@ -220,7 +220,7 @@ In this type of configuration, the OpenVPN server will be using
|
|||||||
FreeRADIUS server for authenticating users. FreeRADIUS server will
|
FreeRADIUS server for authenticating users. FreeRADIUS server will
|
||||||
be verifying the authentication information received from OpenVPN
|
be verifying the authentication information received from OpenVPN
|
||||||
server by verifying the username and user’s password against system
|
server by verifying the username and user’s password against system
|
||||||
password file “/etc/passwd” (or by other means supported by FreeRADIUS)
|
password file `/etc/passwd` (or by other means supported by FreeRADIUS)
|
||||||
and verifying the OTP (one time password) generated by a YubiKey
|
and verifying the OTP (one time password) generated by a YubiKey
|
||||||
with the Yubico’s OTP validation server.
|
with the Yubico’s OTP validation server.
|
||||||
|
|
||||||
@ -234,8 +234,8 @@ https://github.com/Yubico/yubico-pam/wiki/YubiKeyAndFreeRADIUSviaPAM
|
|||||||
|
|
||||||
* Install and configure pam_radius_auth.so and copy it to /lib/security directory
|
* Install and configure pam_radius_auth.so and copy it to /lib/security directory
|
||||||
|
|
||||||
* Create a file “/etc/pam.d/openvpn” (file name must be the one which is specified
|
* Create a file `/etc/pam.d/openvpn` (file name must be the one which is specified
|
||||||
in “/etc/openvpn/server.conf “ along with “plugin” directive) and copy the following
|
in `/etc/openvpn/server.conf` along with 'plugin' directive) and copy the following
|
||||||
contents to the file:
|
contents to the file:
|
||||||
|
|
||||||
------
|
------
|
||||||
@ -244,7 +244,7 @@ account required pam_radius_auth.so
|
|||||||
auth required pam_radius_auth.so no_warn try_first_pass
|
auth required pam_radius_auth.so no_warn try_first_pass
|
||||||
------
|
------
|
||||||
|
|
||||||
* Create a file “/etc/raddb/server” to configure FreeRADIUS server that is
|
* Create a file `/etc/raddb/server` to configure FreeRADIUS server that is
|
||||||
used by pam_radius_auth PAM module. The content for the file is as follows:
|
used by pam_radius_auth PAM module. The content for the file is as follows:
|
||||||
|
|
||||||
------
|
------
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user