671 | | |
672 | | auth-user-pass-verify auth-pam.pl via-file |
673 | | |
674 | | will use the auth-pam.pl perl script to authenticate the username/password of connecting clients. See the description of auth-user-pass-verify in the manual page for more information. |
675 | | |
676 | | The auth-pam.pl script is included in the OpenVPN source file distribution in the sample-scripts subdirectory. It will authenticate users on a Linux server using a PAM authentication module, which could in turn implement shadow password, RADIUS, or LDAP authentication. auth-pam.pl is primarily intended for demonstration purposes. For real-world PAM authentication, use the openvpn-auth-pam shared object plugin described below. |
677 | | Using Shared Object or DLL Plugins |
678 | | |
679 | | Shared object or DLL plugins are usually compiled C modules which are loaded by the OpenVPN server at run time. For example if you are using an RPM-based OpenVPN package on Linux, the openvpn-auth-pam plugin should be already built. To use it, add this to the server-side config file: |
680 | | |
681 | | plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login |
682 | | |
| 672 | {{{ |
| 673 | auth-user-pass-verify auth-pam.pl via-file |
| 674 | }}} |
| 675 | will use the auth-pam.pl perl script to authenticate the username/password of connecting clients. See the description of '''auth-user-pass-verify''' in the manual page for more information. |
| 676 | |
| 677 | The '''auth-pam.pl''' script is included in the OpenVPN source file distribution in the sample-scripts subdirectory. It will authenticate users on a Linux server using a PAM authentication module, which could in turn implement shadow password, RADIUS, or LDAP authentication. auth-pam.pl is primarily intended for demonstration purposes. For real-world PAM authentication, use the openvpn-auth-pam shared object plugin described below. |
| 678 | |
| 679 | == Using Shared Object or DLL Plugins == |
| 680 | |
| 681 | Shared object or DLL plugins are usually compiled C modules which are loaded by the OpenVPN server at run time. For example if you are using an RPM-based OpenVPN package on Linux, the '''openvpn-auth-pam''' plugin should be already built. To use it, add this to the server-side config file: |
| 682 | {{{ |
| 683 | plugin /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so login |
| 684 | }}} |
685 | | For real-world production use, it's better to use the openvpn-auth-pam plugin, because it has several advantages over the auth-pam.pl script: |
686 | | |
687 | | The shared object openvpn-auth-pam plugin uses a split-privilege execution model for better security. This means that the OpenVPN server can run with reduced privileges by using the directives user nobody, group nobody, and chroot, and will still be able to authenticate against the root-readable-only shadow password file. |
688 | | OpenVPN can pass the username/password to a plugin via virtual memory, rather than via a file or the environment, which is better for local security on the server machine. |
689 | | C-compiled plugin modules generally run faster than scripts. |
690 | | |
691 | | If you would like more information on developing your own plugins for use with OpenVPN, see the README files in the plugin subdirectory of the OpenVPN source distribution. |
692 | | |
693 | | To build the openvpn-auth-pam plugin on Linux, cd to the plugin/auth-pam directory in the OpenVPN source distribution and run make. |
694 | | Using username/password authentication as the only form of client authentication |
695 | | |
696 | | By default, using auth-user-pass-verify or a username/password-checking plugin on the server will enable dual authentication, requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated. |
| 687 | For real-world production use, it's better to use the '''openvpn-auth-pam''' plugin, because it has several advantages over the '''auth-pam.pl''' script: |
| 688 | |
| 689 | * The shared object '''openvpn-auth-pam''' plugin uses a split-privilege execution model for better security. This means that the OpenVPN server can run with reduced privileges by using the directives user '''nobody, group nobody''', and '''chroot''', and will still be able to authenticate against the root-readable-only shadow password file. |
| 690 | * OpenVPN can pass the username/password to a plugin via virtual memory, rather than via a file or the environment, which is better for local security on the server machine. |
| 691 | * C-compiled plugin modules generally run faster than scripts. |
| 692 | |
| 693 | If you would like more information on developing your own plugins for use with OpenVPN, see the '''README''' files in the '''plugin''' subdirectory of the OpenVPN source distribution. |
| 694 | |
| 695 | To build the '''openvpn-auth-pam''' plugin on Linux, cd to the '''plugin/auth-pam''' directory in the OpenVPN source distribution and run make. |
| 696 | |
| 697 | == Using username/password authentication as the only form of client authentication == |
| 698 | |
| 699 | By default, using '''auth-user-pass-verify''' or a username/password-checking '''plugin''' on the server will enable dual authentication, requiring that both client-certificate and username/password authentication succeed in order for the client to be authenticated. |
708 | | Note that client-cert-not-required will not obviate the need for a server certificate, so a client connecting to a server which uses client-cert-not-required may remove the cert and key directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate. |
709 | | How to add dual-factor authentication to an OpenVPN configuration using client-side smart cards |
| 711 | Note that '''client-cert-not-required''' will not obviate the need for a server certificate, so a client connecting to a server which uses '''client-cert-not-required''' may remove the '''cert''' and '''key''' directives from the client configuration file, but not the ca directive, because it is necessary for the client to verify the server certificate. |
| 712 | = How to add dual-factor authentication to an OpenVPN configuration using client-side smart cards = |