On Thu, Nov 08, 2018 at 06:51:22PM -0000, Eric Fredrickson via FreeIPA-users wrote:
Hello everyone,
I'm having an issue with OTP when logging into a vpn server that is a client of
FreeIPA. I can login with no issues when OTP is disabled.
FreeIPA Setup:
CentOS 7.5
FreeIPA 4.5.4
HBAC Service: openvpn
HBAC Rule:
[root@ipa ~]# ipa hbacrule-show openvpn_access
Rule name: openvpn_access
Description: VPN users HBAC rule for accessing ,vpnhost> via openvpn service.
Enabled: TRUE
Users: <users>
Hosts: vpnhost.localdomain.local
Services: openvpn
User account:
[root@ipa ~]# ipa user-show <omitted>
User login: <omitted>
First name: <omitted>
Last name: <omitted>
Home directory: /home/<omitted>
Login shell: /bin/bash
Principal name: <omitted>
Principal alias: <omitted>
Email address: <omitted>
UID: 1909600003
GID: 1909600003
User authentication types: otp
Certificate: <omitted>
Account disabled: False
Password: True
Member of groups: vpn_users
Member of HBAC rule: openvpn_access
Indirect Member of HBAC rule: user_ipa_access
Kerberos keys available: True
OpenVPN server:
/etc/pam.d/openvpn
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3
authtok_type= ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
Can you try
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so sshd
as a workaround? This will use /etc/pam.d/sshd but there shouldn't be
much difference. It looks like openvpn behaves a bit like sshd here an
adds the string with long term password and token value to every prompt.
Currently pam_sss only expects the 'sshd' PAM service to do so.
bye,
Sumit
>
>
> Any help would be greatly appreciated. Any other information that you may need,
please feel free to ask. I've read multiple threads, some have gotten it to work
without posting answers, some have not and has stated openvpn does not support multiple
prompts.
>
> Eric
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...