CyberNinjas/pam_aad

OpenVPN Integration

Jnchi opened this issue · 9 comments

Jnchi commented

The openvpn-auth-pam module implements username/password
authentication via PAM, and essentially allows any authentication
method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
passwords) to be used with OpenVPN. --README.auth-pam

https://github.com/OpenVPN/openvpn/tree/master/src/plugins/auth-pam

Jnchi commented

/etc/openvpn/server.conf

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
username-as-common-name

/etc/pam.d/openvpn

auth required pam_aad.so client_id= resource_id= tenant= required_group_id=
@include common-auth
account required pam_nologin.so
@include common-account
@include common-session
@include common-password

Or,

cp /etc/pam.d/sshd /etc/pam.d/openvpn

Adapted from: yubico-pam: YubiKey and OpenVPN via PAM

Jnchi commented

OpenVPN Client is never prompted

AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: dev
AUTH-PAM: BACKGROUND: my_conv[0] query='Enter the following code at https://aka.ms/devicelogin : BQBJRSVMC
Please hit enter after you have logged in.' style=1
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: user 'dev' failed to authenticate: Authentication failure
Tue Dec  4 13:16:48 2018 us=249047 192.168.254.1:1194 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Dec  4 13:16:48 2018 us=249075 192.168.254.1:1194 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Tue Dec  4 13:16:48 2018 us=249116 192.168.254.1:1194 TLS Auth Error: Auth Username/Password verification failed for peer
Tue Dec  4 13:16:48 2018 us=249214 192.168.254.1:1194 SIGTERM[soft,auth-control-exit] received, client-instance exiting

Full log: openvpn-server.log

Jnchi commented

The OpenVPN plugin passes the username/password from the client to the server during authentication (See: https://github.com/OpenVPN/openvpn/blob/master/src/plugins/auth-pam/auth-pam.c#L510), however, the device prompt/code is not sent back to the client from the server, resulting in the module failing automatically.

OpenVPN server output:

openvpn --config /etc/openvpn/server.conf
[ . . . TRUNCATED . . . ]
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: jnchi
Connected
AUTH-PAM: BACKGROUND: my_conv[0] query='Enter the following code at https://aka.ms/devicelogin : FJQH7VK77
Please hit enter after you have logged in.' style=2
Connected
no upn?
AUTH-PAM: BACKGROUND: user 'jnchi' failed to authenticate: Authentication failure

PAM module output:

tail /var/log/auth.log
Mar  4 10:34:11 debian jnchi(pam_azure_authenticator)[9701]: debug: start of azure_authenticator for jnchi

See: #24

Jnchi commented

OpenVPN Configuration

First, follow this tutorial from the Debian Wiki:

Then there are a few modifications needed, (See: previous comment).

Example configuration files:

  • server.conf

    • place in /etc/openvpn/server.conf
  • client.conf

    • place in /etc/openvpn/client.conf, (or in C:\Program Files\OpenVPN\config\client.ovpn on Windows 😢 )
Jnchi commented
$ ssh jnchi@10.8.0.1
The authenticity of host '10.8.0.1 (10.8.0.1)' can't be established.
ECDSA key fingerprint is SHA256:UboLDzf2gy/tbDr7cUfW4pJWrduU+Tlex/vaaLY3kNM.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.8.0.1' (ECDSA) to the list of known hosts.
An email with a one-time passcode was sent to your email.
Enter the code at https://aka.ms/devicelogin, then press enter.

Linux debian 4.9.0-8-amd64 #1 SMP Debian 4.9.144-3.1 (2019-02-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Mar 21 12:01:09 2019 from 192.168.1.125
jnchi@debian:~$
Jnchi commented

openvpn-gui

Note: The OpenVPN GUI will prompt for a password, however, the user's password is not used by pam_aad; simply set it to an arbitrary value and select "Save password".

https://github.com/OpenVPN/openvpn-gui