[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Force common-name in auth-pam authentification

  • Subject: Re: [Openvpn-users] Force common-name in auth-pam authentification
  • From: Morten Christensen <mc-openvpn@xxxxx>
  • Date: Mon, 19 Sep 2005 15:14:05 +0200

James Yonan skrev dette den 17-09-2005 21:45:

On Sat, 17 Sep 2005, Morten Christensen wrote:

I am working on moving password-authentification from certificates to the openvpn-server.

I am just using the openvpn-server's /etc/passwd and /etc/shadow.

I have it working with the line in server.conf:;
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
(but not with plugin /usr/lib/openvpn/openvpn-auth-pam.so lgoin).

My problem is to restrict the login-process to only accepting the common-name of the users certificate. By now it accepts all users on the box.

Yes -- I think this is possible. You would need to write a "tls-verify" script which would compare the environmental variables for "username" and "common_name", returning 0 (success) if they are equal.

This would only allow someone to log in with a username that is equal to the common name on their cert.

I am understanding very little of these scripts :-(.

I am looking at the verify-cn sample-script. It has this line:
($cn, $depth, $x509) = @ARGV;
is that where the environmental variables is piped into the script ? Can I just change it to
($cn, $username) = @ARGV;
or to
($common_name, $username) = @ARGV; ?

and then compare $cn/$common_name and $username down in the script.

Or is the verify-cn script intended to be called from the ccd-file where I specify the common_name on the line in each ccd-file like:
tls-verify "./verify-cn my-common-name"

Hope someone can give me a little insight on this .

(What I really would want, is a way to paste the common_name into the environmental username-variable, so the entered username did not matter).

Morten Christensen

____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users