OpenVPN configuration with static challenge

[montaniasystemab]

Hello!

I've been trying to configure google-authenticator-libpam to be used with OpenVPNs lib-pam module using a static challenge from the client.

This would allow us to have the user first enter their password and then get another prompt to enter their OTP code.

However this setup requires that OpenVPN is configured with a named query that is supposed to be sent to the pam module for verification:

For example:

plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD pin OTP"

tells auth-pam to (a) use the "login" PAM module, (b) answer a "login" query with the username given by the OpenVPN client, (c) answer a "password" query with the password, and (d) answer a "pin" query with the OTP given by the OpenVPN client.

source: https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam

I've tried to configure the plugin to send the static challenge with the named answer pin but it does not seem to be picked up by your pam module.

Is there any way to configure OpenVPN and/or your pam module to be used together with a static challenge?

Thanks!

[ThomasHabets]

And the solution of concattenated password and OTP is suboptimal for you?

It sounds like the openvpn-auth-pam.so is expecting a prompt of "pin". Could you try making the prompt be "pin" by passing "authtok_prompt=pin" to the GA module?

Also: please provide exact configs (I assume you don't actually use the login PAM service? In any case what does the service you do use look like in PAM?) and relevant logs (e.g. /var/log/auth.log).

Add debug option to the GA PAM module to get more verbose logs.

[montaniasystemab]

Thanks for your quick response, it works perfect now, thanks!

For reference, relevant parts of /etc/pam.d/openvpn for password + OTP with static challenge:

auth    required      pam_google_authenticator.so authtok_prompt=pin
auth    [success=1 default=ignore]      pam_unix.so nullok_secure

And the OpenVPN plugin is configured as:

plugin /path/to/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

[pratikjoy7]

Hey @ThomasHabets, I am trying something similar to what @montaniasystemab is doing. But can't seem to get the Password + OTP static challenge to work, tried a similar configuration.

Logs with debug:

Apr 17 11:06:38 ip-x-x-x-x openvpn(pam_google_authenticator)[17204]: debug: start of google_authenticator for "abcd"
Apr 17 11:06:38 ip-x-x-x-x openvpn(pam_google_authenticator)[17204]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Apr 17 11:06:38 ip-x-x-x-x openvpn(pam_google_authenticator)[17204]: debug: "/etc/openvpn/google-authenticator/abcd" read
Apr 17 11:06:38 ip-x-x-x-x openvpn(pam_google_authenticator)[17204]: debug: shared secret in "/etc/openvpn/google-authenticator/abcd" processed
Apr 17 11:06:38 ip-x-x-x-x openvpn(pam_google_authenticator)[17204]: Invalid verification code for abcd
Apr 17 11:06:38 ip-x-x-x-x openvpn(pam_google_authenticator)[17204]: debug: "/etc/openvpn/google-authenticator/abcd" written
Apr 17 11:06:38 ip-x-x-x-x openvpn[17204]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=abcd

I was able to get password+OTP working with a different set of configuration, the problem occurs when I try static-challenge.

[ThomasHabets]

@pratikjoy7 that sounds more like an OpenVPN question. How to properly send down these things to PAM from OpenVPN.

But in any case you need to prive OpenVPN client and server config, and PAM config, in order for anyone to help you.

[pratikjoy7]

Thanks for the quick reply! Here's my /etc/pam.d/openvpn config:

auth    required      /lib/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth authtok_prompt=pin debug
auth    [success=1 default=ignore]      pam_unix.so nullok_secure

And the OpenVPN plugin config:

plugin /path/to/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

Added auth-user-pass and static-challenge <text> <echo> to the client conf.

[ThomasHabets]

Well, if it works without static-challenge then likely the PAM module is configured correctly. I don't know how static-challenge works, so like I said this is more of an OpenVPN question.

But you did not provide your config. Did you put static-challenge pin 1 in the client config? Just a guess. The docs for it are unclear.

[pratikjoy7]

As far as I know, the after static-challenge is what they user would see in the prompt. For example, static-challenge "Enter google authenticator code" 1 would ask with user for entering OTP with that text. Documentation regarding this is really hard to find. Thanks for your time.

[pratikjoy7]

Is there any way I can output the verification code pam_google_authenticator received to syslog or any other relevant logs?

[ThomasHabets]

Not without editing the code. You should be able to add a print statement here.

[franlaborda]

Hello @montaniasystemab, Can you share your config? and what version are you running? I've configured the same way as you, but its not working, (works for password+otp).

Thanks!

[montaniasystemab]

@franlaborda our OpenVPN server is configured with the plugin directive

plugin /opt/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

Clients need to have the static-challenge directive

static-challenge "Verification code:" 1

Pam configuration:

auth       required                        /opt/lib/security/pam_google_authenticator.so authtok_prompt=pin

In October when we were setting this up we had to compile both the pam module and OpenVPN from source in order to get it to work. At that time there were no public releases available that we could get to work. But current releases might have proper support now..

[franlaborda]

@montaniasystemab thanks for the update!

n October when we were setting this up we had to compile both the pam module and OpenVPN from source in order to get it to work. At that time there were no public releases available that we could get to work. But current releases might have proper support now..

This! On ubuntu 18.04 you still need to compile from source.