1

Have you guys have an idea is it possible to configure OpenVPN with pam_google_authenticator.so with no need to authenticate using username/password but only cert + TOTP? I don't want to create a new unix user for every new VPN client.

I cannot find any flag on client side configuration (ovpn file) that can enable it (https://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html)

UPDATE:

on server-side I tried with:

/etc/openvpn/server.conf

auth-user-pass-optional
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

/etc/pam.d/openvpn

auth required pam_google_authenticator.so

But still in openvpn log I see:

PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
TLS Auth Error: Auth Username/Password verification failed for peer
YasiuMaster
  • 21
  • 3
  • May be try `--auth-user-pass-verify script method` instead? This would call *a script* (written by you) which is then free to use the supplied username+password tuple however it wishes—say, using something like [this](https://wiki.archlinux.org/index.php/Google_Authenticator#Command_line) or [whatever else](https://www.google.com/search?q=google+authenticator+totp+command-line). I mean, I'd say a way to go is to bypass PAM completely—as PAM is primarily targeted at authenticating real local users. – kostix May 08 '18 at 10:36

1 Answers1

0

If you can point secondary authentication to an external RADIUS server, there is a RADIUS server designed for OTP authentication.

disclaimer: I am affiliated with totpradius

Emin
  • 101