Menu
▾
▴
openvpn-devel
|
From: Marcus <ade...@go...> - 2008-02-18 16:00:23
|
Hi Folks, since pam doesn't work for me on ubuntu, as already stated on the user-list, I decided to take a different approach towards authentication. There is a python module called pyrad (http://www.wiggy.net/code/pyrad/), which is able to authenticate a user with a username and a password against a radius-server. The goal is to put a line like plugin /path/to/my-auth-script.py in openvpn-server.conf and take the user + pass which the client provides via the "auth-user-pass"-Directive in it's client.conf. I already read the README file in the plugin folder of the OpenVPN source distribution, and also browsed through the plugin.h-file but I'm not that good in reading header-files. An authentication-script could look something like this: #!/usr/bin/python import sys import socket import pyrad.packet from pyrad.client import Client from pyrad.dictionary import Dictionary args = sys.argv[1:] # drop first entry (progpath) if len(args) != 2: raise SystemExit("expected two parameters (username and password)") srv=Client(server="server_ip", secret="some_s3cret", dict=Dictionary("dictionary")) req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,User_Name=sys.argv[1]) req["User-Password"]=req.PwCrypt(sys.argv[2]) req["NAS-IP-Address"] = "The_Nas_IP" req["NAS-Port"] = 0 req["Service-Type"] = "Login-User" req["NAS-Identifier"] = "openvpn" try: # print "Sending authentication request" reply=srv.SendPacket(req) except pyrad.client.Timeout: print "RADIUS server does not reply" sys.exit(1) except socket.error, error: print "Network error: " + error[1] sys.exit(1) if reply.code==pyrad.packet.AccessAccept: sys.exit(0) else: sys.exit(1) Can anyone tell me (pretty please with sugar on top) how to put this together? What I don't know yet is: 1. What is the script supposed to return? 0 for authenticated and 1 for not authenticated? 2. How are arguments (username/password) passed to the plugin? 3. How can I use a python-script instead of a *.so-File or a perl-Script? I hope it's not a big deal to get this set-up running. I recognized, that easy authentication via a MS-IAS-Radius server IS an issue in the openvpn-community. This solution would be very simple to set up and I'd document it in the official wiki to share with the world, in return. Best regards, Marcus My client.conf looks like this: client dev tun proto udp remote SOME_IP 1194 route-method exe route-delay 2 resolv-retry infinite nobind persist-key persist-tun auth-user-pass ca keys/ca.crt comp-lzo verb 3 |
|
From: Thibault Le M. <Thi...@su...> - 2008-02-18 16:12:33
|
Marcus a écrit : > Hi Folks, > > since pam doesn't work for me on ubuntu, as already stated on the > user-list, I decided to take a different approach towards > authentication. There is a python module called pyrad > (http://www.wiggy.net/code/pyrad/), which is able to authenticate a user > with a username and a password against a radius-server. > Have you tried using Radius plugin ? http://www.nongnu.org/radiusplugin/ Regards, Thibault Le Meur |
|
From: Marcus <ade...@go...> - 2008-02-18 16:37:20
|
Thibault Le Meur a écrit : > Have you tried using Radius plugin ? > http://www.nongnu.org/radiusplugin/ Yes, it works, but my Openvpn-Server is trying to establish accounting according to logfile which doesnt work. My IAS-Server however gives me an IAS_SUCCESS which is equal to "thumbs up". Maybe I can disable accounting in that plugin somehow... any ideas? Greetz, Marcus |
|
From: Giancarlo R. <lin...@on...> - 2008-02-18 16:13:54
Attachments:
signature.asc
|
Marcus escreveu: > Hi Folks, > > since pam doesn't work for me on ubuntu, as already stated on the > user-list, I decided to take a different approach towards > authentication. There is a python module called pyrad > (http://www.wiggy.net/code/pyrad/), which is able to authenticate a user > with a username and a password against a radius-server. > > The goal is to put a line like > plugin /path/to/my-auth-script.py > in openvpn-server.conf and take the user + pass which the client > provides via the "auth-user-pass"-Directive in it's client.conf. > > I already read the README file in the plugin folder of the OpenVPN > source distribution, and also browsed through the plugin.h-file but I'm > not that good in reading header-files. > > An authentication-script could look something like this: > > > #!/usr/bin/python > > import sys > import socket > import pyrad.packet > from pyrad.client import Client > from pyrad.dictionary import Dictionary > > args = sys.argv[1:] # drop first entry (progpath) > if len(args) != 2: > raise SystemExit("expected two parameters (username and password)") > > srv=Client(server="server_ip", > secret="some_s3cret", > dict=Dictionary("dictionary")) > > req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,User_Name=sys.argv[1]) > > req["User-Password"]=req.PwCrypt(sys.argv[2]) > > > req["NAS-IP-Address"] = "The_Nas_IP" > req["NAS-Port"] = 0 > req["Service-Type"] = "Login-User" > req["NAS-Identifier"] = "openvpn" > > try: > # print "Sending authentication request" > reply=srv.SendPacket(req) > except pyrad.client.Timeout: > print "RADIUS server does not reply" > sys.exit(1) > except socket.error, error: > print "Network error: " + error[1] > sys.exit(1) > > if reply.code==pyrad.packet.AccessAccept: > sys.exit(0) > else: > sys.exit(1) > > > Can anyone tell me (pretty please with sugar on top) how to put this > together? > What I don't know yet is: > 1. What is the script supposed to return? 0 for authenticated and 1 for > not authenticated? > 2. How are arguments (username/password) passed to the plugin? > 3. How can I use a python-script instead of a *.so-File or a perl-Script? > > I hope it's not a big deal to get this set-up running. > > I recognized, that easy authentication via a MS-IAS-Radius server IS an > issue in the openvpn-community. This solution would be very simple to > set up and I'd document it in the official wiki to share with the world, > in return. > > Best regards, Marcus > > My client.conf looks like this: > > client > dev tun > proto udp > remote SOME_IP 1194 > route-method exe > route-delay 2 > resolv-retry infinite > nobind > persist-key > persist-tun > > auth-user-pass > ca keys/ca.crt > > comp-lzo > verb 3 > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Openvpn-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > Marcus, An openvpn auth plugin, intercepts the OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY callback, which is internal to openvpn. So your plugin must be a shared library (.so) program that "fits" with openvpn. This plugin uses the openvpn_plugin.h C header and, as i'm aware of, can be written only in C and C++. I do not know any other openvpn plugin written in other language. I do had written one myself to make autentication directly from /etc/shadow files, as an alternative to authenticate with PAM. See http://auth-passwd.sf.net. If you want to use a .py script, it's much simpler to use the auth-user-pass-verify that receive a script as argumen. this is script is given a path to a temporary file that contain the username and the password priveded by the client, one at a line. This is more insecure than using a plugin, but for your case it might suit. My regards, -- Giancarlo Razzolini Linux User 172199 Red Hat Certified Engineer no:804006389722501 Moleque Sem Conteudo Numero #002 Slackware Current OpenBSD Stable Ubuntu 6.10 Edgy Eft Snike Tecnologia em Informática 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85 |
|
From: Faidon L. <par...@de...> - 2008-02-18 16:17:26
Attachments:
auth_radius.pl
|
Marcus wrote: > An authentication-script could look something like this: > > #!/usr/bin/python Not really able to help you with your python script, but this is a really simple perl script I've written in the past (2005) for the same purpose. It uses a simple configuration file format: radius_host=radius.example.com radius_port=1812 radius_secret=foobar It only does the AA part of RADIUS plus it supports Framed-IP-Address, in case you need it. Be warned that the latter is implemented in a rather hackish way. IIRC, there are other solutions to RADIUS authentication that are more featureful. Haven't evaluated them though, the above works pretty well for me. Regards, Faidon |
|
From: Brane F. G. <bf...@in...> - 2008-02-18 16:23:24
|
... you can also check openvpn_auth: http://frost.ath.cx/software/openvpn_auth/ Best regards, Brane |
|
From: Marcus <ade...@go...> - 2008-02-18 16:59:33
|
Brane F. Gračnar schrieb: > ... you can also check openvpn_auth: > http://frost.ath.cx/software/openvpn_auth/ Greetings to thee, Brane, you are the author of that software if I am not mistaken. I tried it already - alas with no success, although I "at least read the whole goddamn configuration file" to the end" ;-) I can start the deamon successfully. (Mind that "semaphores" doesn't work, so I use "flock".) I defined a "radius"-Service in the config-File: $auth_backends = { radius => { driver => 'Radius', sufficient => 1, required => 1, host => '134.2.239.234', service => 'openvpn', secret => 'mysecret', use_nas_ipaddr => 1, timeout => 2 } }; And I installed the perl-plugins: ./bin/openvpn_authd.pl --list Allow, AuthStruct, DBI, Deny, File, IMAP, Krb5, LDAP, PAM, POP3, Radius, SASL My auth_order looks like this: $auth_order = ["radius"]; I also did steps 8 to 10 from the Readme. But when I try step 11, something goes wrong. 11. Check if everything works... export common_name="someuser.example.org" export untrusted_ip="1.2.3.4" export untrusted_port="3456" export script_type="auth-user-pass-verify" Here, the documentation is not clear to me. What are the exports for? The client gives me an error, when i use the above values. (Maybe it's stupid to use the above values?) When I run ./bin/openvpn_authc -v /tmp/sample_auth.txt I get Feb 17 17:56:17 ovpn openvpn_authd.pl: WARN: AuthDaemon.pm, line 262, PRINT(): Catched output to STDOUT/STDERR: Use of uninitialized value in concatenation (.) or string at /usr/local/src/openvpn_auth-0.10/lib/Net/OpenVPN/Auth/Radius.pm line 124, <GEN1> line 6. Feb 17 17:56:17 ovpn openvpn_authd.pl: WARN: AuthDaemon.pm, line 263, PRINT(): This should not happen! Possible couses: Missing perl modules (running in chroot? Define $extra_modules); OR BUG in your validation functions, if you're using AuthStruct module; OR BUG in openvpn_authd.pl/it's libraries. Feb 17 17:56:22 ovpn openvpn_authd.pl: WARN: AuthDaemon.pm, line 140, __ANON__(): Authentication timed out. I probably got the settings for the radius wrong, what do you think? Greetz, Marcus |
Thanks for helping keep SourceForge clean.
X