background preloader

Pam

Facebook Twitter

Ldap_client. À qui cela s'adresse Cette page est pour n'importe qui voulant rendre son Ubuntu capable de s'authentifier auprès d'un serveur OpenLDAP.

ldap_client

L'utilisateur qui désire s'authentifier avec Sun Java Enterprise System Directory Server doit regarder la page sur la documentation en anglais. Note pour Gutsy Il y a un nouvel outil dans Gutsy pour modifier les outils de pam et de nsswitch en même temps : OpenVPN et authentification par CA, Login et mot de passe. Plop à tous.

OpenVPN et authentification par CA, Login et mot de passe

Aujourd’hui, un rapide tuto, sur la mise en place d’une authentification via le module PAM sur votre OpenVPN. ATTENTION, comme on passe par une authentification par login/mot de passe, la sécurité est moins élevée qu’un système d’authentification par certificat serveur et client, néanmoins, il faut encore le certificat serveur, donc on peut considérer que le niveau de sécurité est encore pas mal élevé. On va partir de l’idée que vous avez suivi ce tuto pour installer votre serveur VPN, et que donc votre config serveur ressemble à celle-là : il vous suffit alors de rajouter ces 3 lignes à la fin du fichier : OpenVPNQuickstart - Hinterlands. From Hinterlands An OpenVPN quickstart guide Overview Setting up a full-featured VPN can be a complicated procedure.

OpenVPNQuickstart - Hinterlands

Luckily OpenVPN supports simpler VPN setups for people who don't want to get into SSL certificate or Two Factor token management. OpenVPN Authentication Using PAM and Duo Security - 403 Blogs. OpenVPN Authentication Using PAM and Duo Security It’s possible to configure OpenVPN with two-factor authentication utilizing PAM and Duo Security’s phone authentication on Ubuntu 10.04 LTS.

OpenVPN Authentication Using PAM and Duo Security - 403 Blogs

You just need to think like a hacker… By using password concatenation with OpenVPN’s PAM plugin and Duo Security’s plugin, your password will be comma-delimited, supporting both a PAM integrated password and Duo Security’s phone authentication. Summary I wasn’t satisfied with OpenVPN’s options for two-factor authentication. I configured OpenVPN with client certificates and Active Directory password integration via pam_winbind, but I wanted better security. Knowing that it’s possible for an attacker on a compromised workstation to grab both the certificate and the user’s password (by keylogging or, depending on the OpenVPN configuration, memory scraping), I felt I needed a second out-of-band factor.

This is where Duo Security comes into play. …unless we make some modifications. Why you’d want to do this. Open VPN with PAM. Your Private tunnel to the Internet.

Open VPN with PAM

OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol, supports flexible client authentication methods based on certificates, smart cards, and/or username/password credentials, and allows user or group-specific access control policies using firewall rules applied to the VPN virtual interface. OpenVPN is not a web application proxy and does not operate through a web browser. Installation apt-get install openvpn apt-get install libpam0g-dev ( for PAM support ) Configuration You need to make a decision here whether you want tun (routed) or tap (bridged) connections.

OpenVPN with dual layer authentication (keys and pam) Currently, my original 'how-to' on getting OpenVPN running with OpenVPN-GUI used the standard key based authentication.

OpenVPN with dual layer authentication (keys and pam)

You can configure your client to password protect your connection, but I wasn't comfortable with that scheme. If a laptop is stolen, it would be possible (and not hard to bypass this password). Now, we can add a additional layer with pam and server side interaction. We still need keys to create the tunnel and send our authentication, so the 'base' security layer is untouched, but now we're going to add pam to authenticate our user. This can be handy if you're creating multiple VPN users, simply removing their system account, will remove their ability to VPN, etc.

To do this (and assuming that we already have a working OpenVPN setup), we will need to make some change to our server config as well as client configs. First item is to make sure that OpenVPN is built with pam support. With pam added a .so file is compiled and is available on our system. Groupadd vpn vpn Ok. OpenVPN server with Username and Password auth. I did this on Debian but these instruction should work equally well for Ubuntu Setup IP Forwarding/Masquerading/Firewall To turn on IP Forwarding:# echo 1 > /proc/sys/net/ipv4/ip_forward Set the change permanantly in /etc/sysctl.conf by uncommenting the line:net.ipv4.ip_forward=1 To turn on IP Masquerading add the following IP Tables rule: # iptables --table nat --append POSTROUTING --out-interface eth0 --jump MASQUERADE Firewall If you are running a firewall, and I strongly recommend you do on a public facing box you need to allow UDP on port 1194 into you box.# iptables -A INPUT -udp -m udp --dport 1194 -j ACCEPT But these rules need be persistant so we need to create a script to run when the interface starts up.

OpenVPN server with Username and Password auth