1

I'm setting up a PAM service for OpenVPN, such that the OpenVPN PAM module can authenticate a username/password to an external service that I will implement using a shell script.

The OpenVPN PAM module states approximately the following documentation:

plugin openvpn-auth-pam.so "openvpn name USERNAME password PASSWORD"

While "USERNAME" and "PASSWORD" are special strings which substitute to client-supplied values, it is also possible to name literal values to use as PAM module query responses. For example, suppose that the login module queried for a third parameter, "domain" which is to be answered with the constant value "mydomain.com":

So now I created an openvpn PAM configuration in /etc/pam.d/openvpn:

auth required pam_exec.so expose_authtok /tmp/outputenv

Which got me as far as executing a script and getting the password from stdin, brilliant, I'm 95% of the way there. But I don't have access to the username. I've checked the environment variables and anything I can think of, but I can't work out how I could pass BOTH the username AND password to my script for external authentication.

Ideas?

davidparks21
  • 928
  • 1
  • 12
  • 27
  • 1
    Can you not just do this using the connect-script of the openvpn config, and pass the username/password environment variables to your script, and thereby skip pam entirely ? that what we did to check windows domain users – Sirex Jun 16 '11 at 09:33
  • Great question, but the authentication process in question takes 3-5 seconds to complete, and the authentication script your asking about blocks all other processes, including traffic during execution. A point clearly made in the book OpenVPN 2 Cookbook. All articles recommend using the PAM module as it handles this in a properly multi-threaded fashion. – davidparks21 Jun 16 '11 at 09:49
  • by the way when you say it blocks traffic, do you mean all traffic, or just traffic to this user ? – Sirex Jun 17 '11 at 07:05

1 Answers1

1

The full answer to this question is posted here:

https://forums.openvpn.net/post13002.html#p13002

Basically the example in the PAM module documentation for openvpn leads you astray here, it uses:

plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"

But the correct configuration for openvpn's server.config is:

plugin /usr/local/openvpn/sbin/openvpn-auth-pam.so "openvpn"

If you include the extra parameters shown in the documentation example it will never write out PAM_USER to the environment variables as is expected based on the documentation of pam_exec.so.

davidparks21
  • 928
  • 1
  • 12
  • 27