LinOTP, OpenVPN and PAM without local User

Discussion in 'HOWTO-Related Questions' started by brutus81, Jul 4, 2014.

  1. brutus81

    brutus81 New Member

    Hi,

    I configured my OpenVPN (Debian 7 x64) Server following this howto:

    http://www.howtoforge.com/how-to-set-up-openvpn-to-authenticate-with-linotp

    to secure my OpenVPN with OTP and LinOTP.

    It sais not local users are needed, when using pam_permit.so for account and session. But I need local users. When trying to authenticate a users that does not have a local account, PAM stops here (auth.log):

    pam_linotp[5698]: start pam_linotp.py authentication: 0, ['/lib/security/pam_linotp.py', 'debug', 'url=https://otp.server.local/validate/simplecheck', 'nosslhostnameverify', 'realm=', 'logpassword=no']

    After creating a local user it works (auth.log):
    pam_linotp[5698]: start pam_linotp.py authentication: 0, ['/lib/security/pam_linotp.py', 'debug', 'url=https://otp.server.local/validate/simplecheck', 'nosslhostnameverify', 'realm=', 'logpassword=no']

    pam_linotp[5698]: got no password in authtok - trying through conversation
    pam_linotp[5698]: got password: 123456
    pam_linotp[5698]: calling url https://otp.server.local/validate/simplecheck' {'realm': 'corporatequality.de', 'user': 'username', 'pass': '123456'}
    pam_linotp[5698]: :-(
    pam_linotp[5698]: user rejected

    Here are my pam files on the OpenVPN Server (I only changed validate/check to validate/simplecheck):

    common-linotp:

    auth [success=1 default=ignore] pam_python.so /lib/security/pam_linotp.py debug url=https://otp.server.local/validate/simplecheck nosslhostnameverify realm= logpassword=no
    auth requisite pam_deny.so
    auth required pam_permit.so

    openvpn:

    @include common-linotp
    session sufficient pam_permit.so
    account sufficient pam_permit.so

    Was anybody successful doing this?

    Thanks and Kind regards,
    Andreas
     

Share This Page