James Yonan skrev dette den 17-09-2005 21:45:
On Sat, 17 Sep 2005, Morten Christensen wrote:
I am working on moving password-authentification from certificates to
I am just using the openvpn-server's /etc/passwd and /etc/shadow.
I have it working with the line in server.conf:;
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
(but not with plugin /usr/lib/openvpn/openvpn-auth-pam.so lgoin).
My problem is to restrict the login-process to only accepting the
common-name of the users certificate. By now it accepts all users on the
Yes -- I think this is possible. You would need to write a "tls-verify"
script which would compare the environmental variables for "username" and
"common_name", returning 0 (success) if they are equal.
This would only allow someone to log in with a username that is equal to
the common name on their cert.
I am understanding very little of these scripts :-(.
I am looking at the verify-cn sample-script. It has this line:
($cn, $depth, $x509) = @ARGV;
is that where the environmental variables is piped into the script ? Can
I just change it to
($cn, $username) = @ARGV;
($common_name, $username) = @ARGV; ?
and then compare $cn/$common_name and $username down in the script.
Or is the verify-cn script intended to be called from the ccd-file where
I specify the common_name on the line in each ccd-file like:
tls-verify "./verify-cn my-common-name"
Hope someone can give me a little insight on this .
(What I really would want, is a way to paste the common_name into the
environmental username-variable, so the entered username did not matter).
Openvpn-users mailing list