• Home
  • History
  • Annotate
  • only in this directory
NameDateSize

..16-May-20176

auth-pam.cH A D07-Jun-201618.9 KiB

auth-pam.exportsH A D07-Jun-201694

Makefile.amH A D07-Jun-2016651

Makefile.inH A D07-Jun-201620.9 KiB

pamdl.cH A D07-Jun-20165.1 KiB

pamdl.hH A D07-Jun-2016137

README.auth-pamH A D07-Jun-20162.5 KiB

README.auth-pam

1openvpn-auth-pam
2
3SYNOPSIS
4
5The openvpn-auth-pam module implements username/password
6authentication via PAM, and essentially allows any authentication
7method supported by PAM (such as LDAP, RADIUS, or Linux Shadow
8passwords) to be used with OpenVPN.  While PAM supports
9username/password authentication, this can be combined with X509
10certificates to provide two indepedent levels of authentication.
11
12This module uses a split privilege execution model which will
13function even if you drop openvpn daemon privileges using the user,
14group, or chroot directives.
15
16BUILD
17
18To build openvpn-auth-pam, you will need to have the pam-devel
19package installed.
20
21Build with the "make" command.  The module will be named
22openvpn-auth-pam.so
23
24USAGE
25
26To use this plugin module, add to your OpenVPN config file:
27
28  plugin openvpn-auth-pam.so service-type
29
30The required service-type parameter corresponds to
31the PAM service definition file usually found
32in /etc/pam.d.
33
34This plugin also supports the usage of a list of name/value
35pairs to answer PAM module queries.
36
37For example:
38
39  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD"
40
41tells auth-pam to (a) use the "login" PAM module, (b) answer a
42"login" query with the username given by the OpenVPN client, and
43(c) answer a "password" query with the password given by the
44OpenVPN client.  This provides flexibility in dealing with the different
45types of query strings which different PAM modules might generate.
46For example, suppose you were using a PAM module called
47"test" which queried for "name" rather than "login":
48
49  plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD"
50
51While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute
52to client-supplied values, it is also possible to name literal values
53to use as PAM module query responses.  For example, suppose that the
54login module queried for a third parameter, "domain" which
55is to be answered with the constant value "mydomain.com":
56
57  plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com"
58
59The following OpenVPN directives can also influence
60the operation of this plugin:
61
62  client-cert-not-required
63  username-as-common-name
64
65Run OpenVPN with --verb 7 or higher to get debugging output from
66this plugin, including the list of queries presented by the
67underlying PAM module.  This is a useful debugging tool to figure
68out which queries a given PAM module is making, so that you can
69craft the appropriate plugin directive to answer it.
70
71CAVEATS
72
73This module will only work on *nix systems which support PAM,
74not Windows.
75