OpenVPN Integration
Jnchi opened this issue · 9 comments
The openvpn-auth-pam module implements username/password
authentication via PAM, and essentially allows any authentication
method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
passwords) to be used with OpenVPN. --README.auth-pam
https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam
/etc/openvpn/server.conf
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
/etc/pam.d/openvpn
auth required pam_aad.so client_id= resource_id= tenant= required_group_id=
@include common-auth
account required pam_nologin.so
@include common-account
@include common-session
@include common-password
Or,
cp /etc/pam.d/sshd /etc/pam.d/openvpn
Adapted from: yubico-pam: YubiKey and OpenVPN via PAM
OpenVPN Client is never prompted
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: dev
AUTH-PAM: BACKGROUND: my_conv[0] query='Enter the following code at https://aka.ms/devicelogin : BQBJRSVMC
Please hit enter after you have logged in.' style=1
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: user 'dev' failed to authenticate: Authentication failure
Tue Dec 4 13:16:48 2018 us=249047 192.168.254.1:1194 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Dec 4 13:16:48 2018 us=249075 192.168.254.1:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Tue Dec 4 13:16:48 2018 us=249116 192.168.254.1:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Tue Dec 4 13:16:48 2018 us=249214 192.168.254.1:1194 SIGTERM[soft,auth-control-exit] received, client-instance exiting
Full log: openvpn-server.log
The OpenVPN plugin passes the username/password from the client to the server during authentication (See: https://github.com/OpenVPN/openvpn/blob/master/src/plugins/auth-pam/auth-pam.c#L510), however, the device prompt/code is not sent back to the client from the server, resulting in the module failing automatically.
OpenVPN server output:
openvpn --config /etc/openvpn/server.conf
[ . . . TRUNCATED . . . ]
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: jnchi
Connected
AUTH-PAM: BACKGROUND: my_conv[0] query='Enter the following code at https://aka.ms/devicelogin : FJQH7VK77
Please hit enter after you have logged in.' style=2
Connected
no upn?
AUTH-PAM: BACKGROUND: user 'jnchi' failed to authenticate: Authentication failure
PAM module output:
tail /var/log/auth.log
Mar 4 10:34:11 debian jnchi(pam_azure_authenticator)[9701]: debug: start of azure_authenticator for jnchi
See: #24
OpenVPN Configuration
First, follow this tutorial from the Debian Wiki:
Then there are a few modifications needed, (See: previous comment).
Example configuration files:
-
- place in
/etc/openvpn/server.conf
- place in
-
- place in
/etc/openvpn/client.conf
, (or inC:\Program Files\OpenVPN\config\client.ovpn
on Windows 😢 )
- place in
$ ssh jnchi@10.8.0.1
The authenticity of host '10.8.0.1 (10.8.0.1)' can't be established.
ECDSA key fingerprint is SHA256:UboLDzf2gy/tbDr7cUfW4pJWrduU+Tlex/vaaLY3kNM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.8.0.1' (ECDSA) to the list of known hosts.
An email with a one-time passcode was sent to your email.
Enter the code at https://aka.ms/devicelogin, then press enter.
Linux debian 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 21 12:01:09 2019 from 192.168.1.125
jnchi@debian:~$
Note: The OpenVPN GUI will prompt for a password, however, the user's password is not used by pam_aad; simply set it to an arbitrary value and select "Save password".