Using the PAM authentication plugin

A very useful plugin for OpenVPN is a plugin to validate a username using the Linux/UNIX PAM authentication system. PAM stands for pluggable authentication modules and is a very modular system for allowing users access to system resources. It is used by most modern Linux and UNIX variants, offering a very flexible and extendible system for authenticating and authorizing users. In this recipe, we will use the PAM authentication plugin as a replacement of an auth-user-pass-verify script to validate a remote user's credentials against the system PAM configuration.

Getting ready

Install OpenVPN 2.3 or higher on two computers. Make sure that the computers are connected over a network. Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client was running Fedora 22 Linux and OpenVPN 2.3.11. For the client, keep the client configuration file, example5-5-client.conf, from the Using an auth-user-pass-verify script recipe at hand.

How to do it...

  1. Create the server configuration file:
            proto udp 
            port 1194 
            dev tun 
     
            server 10.200.0.0 255.255.255.0 
     
            ca       /etc/openvpn/cookbook/ca.crt 
            cert     /etc/openvpn/cookbook/server.crt 
            key      /etc/openvpn/cookbook/server.key 
            dh       /etc/openvpn/cookbook/dh2048.pem 
            tls-auth /etc/openvpn/cookbook/ta.key 0 
     
            persist-key 
            persist-tun 
            keepalive 10 60 
     
            topology subnet 
     
            user  nobody 
            group nobody  # nogroup on some distros 
     
            daemon 
            log-append /var/log/openvpn.log 
     
            verb 5 
            suppress-timestamps 
     
            plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so          "login login USERNAME password PASSWORD" 
    

    Note that the last line of the server configuration file is a single line. Save it as: example5-10-server.conf.

  2. Start the OpenVPN server:
    [root@server]# openvpn --config example5-10-server.conf
    

    The server log file will now show:

            AUTH-PAM: BACKGROUND: INIT service='login' 
            PLUGIN_INIT: POST /usr/lib64/openvpn/plugins/openvpn-plugin-
            auth-pam.so '/usr/lib64/openvpn/plugins/openvpn-plugin-auth-
            pam.so] [login] [login] [USERNAME] [password] [PASSWORD]'          intercepted=PLUGIN_AUTH_USER_PASS_VERIFY 
    

    This indicates that the PAM plugin successfully initialized in the background.

  3. Start the OpenVPN client. OpenVPN will first prompt for the Auth username and password:
            ... OpenVPN 2.3.11 x86_64-redhat-linux-gnu [SSL (OpenSSL)] 
            [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on May 10 2016 
            ... library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.08 
            Enter Auth Username: ******** 
            Enter Auth Password: ********  
    

On the server used in this recipe, a special user cookbook was created. After typing in the username and password, the connection to the server is successfully established. The OpenVPN server log shows the following:

AUTH-PAM: BACKGROUND: received command code: 0 
AUTH-PAM: BACKGROUND: USER: cookbook 
AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2 
AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME' 
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1 
AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD' 
... 192.168.3.22:50887 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0 
... 192.168.3.22:50887 TLS: Username/Password authentication succeeded for username 'cookbook' 
 

This shows that the user was successfully authenticated using PAM.

How it works...

The PAM authentication plugin intercepts the auth-user-pass-verify callback. When the OpenVPN client connects and passes along the username and password, the plugin wakes up. It queries the PAM subsystem by looking at the login module (this is the first parameter for the openvpn-auth-pam.so file). The other parameters are used by the auth-pam plugin to know which input to expect from the PAM subsystem:

login USERNAME password PASSWORD 

The PAM login subsystem will ask for the username by presenting the login prompt and will ask for the password by presenting the password prompt. The auth-pam plugin uses this information to know where to fill in the username (USERNAME) and password (PASSWORD).

After the user has been successfully authenticated by the PAM subsystem, the connection is established.

There's more...

It would also have been possible to authenticate a user using an auth-user-pass-verify script, which queries the PAM subsystem. There are two major advantages to using the PAM plugin for this:

  • It is not required to use the script-security directive at all.
  • The plugin method is much faster and far more scalable. When many users try to connect to the OpenVPN server at the same time, the VPN performance would be greatly affected when using an auth-user-pass-verify script, as for each user connection, a separate process needs to be started, during which the OpenVPN's main thread is installed.

See also

  • The previous recipe, Using the down-root plugin, in which the basics of using OpenVPN plugins are explained
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.161.187