[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Multiple authenticate method

  • Subject: Re: [Openvpn-users] Multiple authenticate method
  • From: Jan Just Keijser <janjust@xxxxxxxxx>
  • Date: Wed, 19 Dec 2007 12:08:03 +0100

if you know which certificates require a password and which don't , then 
the answer is yes.
use an 'auth-user-pass-verify' script on the server side to first verify 
the certificate DN (if you set --username-as-common-name as well then 
you will know the certificate common name inside the verify script 
if it's a certificate for which you know that a password was entered 
then use pam to verify the username/password.
if you know the certificate did not include a password then have the 
script return '0' to allow access.

Note that there is no way of automaGically determining if the user typed 
in a certificate password or not - that's outside the openssl handshake 
and thus not known to the OpenVPN server.



Pol Hallen wrote:
> Hi all :-)
> I'm using openvpn 2.0.9 on debian stable.
> In my server config I've:
> [...]
> plugin /usr/lib/openvpn/openvpn-auth-pam.so login
> [...]
> so, clients can connects with (real) username/password about linux pam 
> modules, next insert password of certificate. That's ok :-)
> I'd like that some clients (these doesn't have a certificate password - 
> without password authentication - can connects to vpn without insert any 
> username/password :-)
> Recap: clients with password certificate must connects with also 
> username/password, clients without certificate password can connect without 
> username/password.
> Is it possible this way?
> Thanks!

Openvpn-users mailing list