A very useful plugin for OpenVPN is a plugin to validate a username using the Linux/UNIX PAM authentication system. PAM stands for pluggable authentication modules and is a very modular system for allowing users access to system resources. It is used by most modern Linux and UNIX variants, offering a very flexible and extendible system for authenticating and authorizing users. In this recipe, we will use the PAM authentication plugin as a replacement of an auth-user-pass-verify
script to validate a remote user's credentials against the system PAM configuration.
Install OpenVPN 2.3 or higher on two computers. Make sure that the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. For the client, keep the client configuration file, example5-5-client.conf
, from the Using an auth-user-pass-verify script recipe at hand.
proto udp port 1194 dev tun server 10.200.0.0 255.255.255.0 ca /etc/openvpn/cookbook/ca.crt cert /etc/openvpn/cookbook/server.crt key /etc/openvpn/cookbook/server.key dh /etc/openvpn/cookbook/dh2048.pem tls-auth /etc/openvpn/cookbook/ta.key 0 persist-key persist-tun keepalive 10 60 topology subnet user nobody group nobody # nogroup on some distros daemon log-append /var/log/openvpn.log verb 5 suppress-timestamps plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "login login USERNAME password PASSWORD"
Note that the last line of the server configuration file is a single line. Save it as: example5-10-server.conf
.
[root@server]# openvpn --config example5-10-server.conf
The server log file will now show:
AUTH-PAM: BACKGROUND: INIT service='login' PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin- auth-pam.so '/usr/lib64/openvpn/plugins/openvpn-plugin-auth- pam.so] [login] [login] [USERNAME] [password] [PASSWORD]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
This indicates that the PAM plugin successfully initialized in the background.
... OpenVPN 2.3.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 10 2016 ... library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.08 Enter Auth Username: ******** Enter Auth Password: ********
On the server used in this recipe, a special user cookbook
was created. After typing in the username and password, the connection to the server is successfully established. The OpenVPN server log shows the following:
AUTH-PAM: BACKGROUND: received command code: 0 AUTH-PAM: BACKGROUND: USER: cookbook AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2 AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME' AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1 AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' ... 192.168.3.22:50887 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 ... 192.168.3.22:50887 TLS: Username/Password authentication succeeded for username 'cookbook'
This shows that the user was successfully authenticated using PAM.
The PAM authentication plugin intercepts the auth-user-pass-verify
callback. When the OpenVPN client connects and passes along the username and password, the plugin wakes up. It queries the PAM subsystem by looking at the login
module (this is the first parameter for the openvpn-auth-pam.so
file). The other parameters are used by the auth-pam
plugin to know which input to expect from the PAM subsystem:
login USERNAME password PASSWORD
The PAM login
subsystem will ask for the username by presenting the login prompt
and will ask for the password by presenting the password
prompt. The auth-pam
plugin uses this information to know where to fill in the username (USERNAME
) and password (PASSWORD
).
After the user has been successfully authenticated by the PAM subsystem, the connection is established.
It would also have been possible to authenticate a user using an auth-user-pass-verify
script, which queries the PAM subsystem. There are two major advantages to using the PAM plugin for this:
script-security
directive at all.auth-user-pass-verify
script, as for each user connection, a separate process needs to be started, during which the OpenVPN's main thread is installed.3.149.239.100