![]() plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so "/etc/pam.d/openvpn login USERNAME password PASSWORD One-time OTP"įor this to work, PAM must be able to look up a user by name/id. ![]() auth requisite pam_oath.so usersfile=/etc/users.oath window=30 digits=6Īdd the plugin to the OpenVPN nf file. openssl rand -hex 64 | sha1sum | cut -d' ' -f1Ĭopy the hash and then edit the /etc/users.oath file, so it includes your user’s id and the hash we copied, eg. touch /etc/users.oathĬreate an OTP secret using something that will give you a sha1 hash, eg. sudo apt install oathtool qrencode libpam-oathĬreate a file for my OTP users /etc/users.oath and set it, so only nobody can read it. Server ConfigurationĪs I already have a configured OpenVPN server, configured with LDAP auth, all I need to install oathtool, qrencode and libpam-oath. ![]() This means there is a common link for me to make use of PAM to give me MFA for OpenVPN. I see that there is a native openvpn-plugin-auth-pam.so, and also know that on another system we’re using the OATH toolkit for providing OTP for sshd. So far I’ve seen 2FA/MFA with OpenVPN using a 3rd Party plugin openvpn-otp.so from evgeny-gridasov/openvpn-otp, but after I got it working I didn’t like the way it implemented HOTP counter storage and the use of otp-secrets. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |