On 19.02.22 10:32, Sam Morris via FreeIPA-users wrote:
What VPN server are you using & how do you currently integrate it
with FreeIPA?
If you integrate via PAM, I think the following is possible, but it is untested--it's
just what I've pulled together in my notes, I haven't got around to actually
trying it yet.
You can allow a user to use _either_ normal password authentication, or OTP:
ipa user-mod myuser --user-auth-type=password,otp
Now, pam_sss will prompt for 'first factor' and 'second factor
(optional)' - if the user just hits enter then they can still log in with password
alone. If they do provide a second factor, there will be an 'authentication
indicator' included in their TGT which can be checked later on by the
pam_sss_gss_module.
On your VPN server, add the pam_sss_gss module to the vpn service's PAM module stack.
It has to go after pam_sss has prompted the user & obtained a TGT; I guess the
'required' control flag is the right thing to use here. But the exact position
will depend on what else you have in your module stack.
Tell sssd to allow the use of pam_sss_gss by setting pam_gssapi_services = myvpn, and
configure it to require the 'otp' indicator on the user's TGT by setting
pam_gssapi_indicators_map = myvpn:otp. Both those settings are in the [pam] section of
sssd.conf.
(As an aside, I wonder why the former setting is needed--only root should be able to
modify pam stacks; and why the latter setting couldn't have been implemented by a
module argument... it would have been nicer to keep all the PAM config in once place...)
The remaining bit of work is to get the VPN server to understand the prompts from pam_sss
& provide the password to the 'first factor' prompt and the OTP to the
'second factor' prompt.
That sounds quite complicated. I use strongswan and it does not provide
a PAM auth backend. So I this I will use FreeRADIUS that uses LDAP and
local OTP.
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein