Skip to main content

Tutorial: Manage the Local Authentication Method from the Command-Line Interface

Abstract

Use this tutorial to manage local authentication for Access Server from the command-line interface.

Overview

Use this tutorial to find the commands necessary to manage the local authentication method for Access Server.

Access Server stores user and group properties in the /usr/local/openvpn_as/etc/db/userprop.db file for local authentication mode.

Access Server 2.10.1 and newer supports hashed passwords in the user properties database in SHA256, PBKDF2, or SCrypt format. New password hashes are stored as PBKDF2 by default. PBKDF2 is implemented with a 16-byte random salt, SHA256 hash, 32 length, and 100000 iterations. During Access Server upgrades, stored local user password hashes remain the same. To retain backward compatibility, the older hash formats still work, but when local user passwords are updated, they are replaced with PBKDF2 hashes.

Access Server 2.11.0 and newer introduces optional support for using the OpenSSL SCrypt function to create hashes for local user passwords. It’s slightly more secure and efficient than PBKDF2, but it isn’t compatible with FIPS mode or available on all platforms. Therefore, we didn’t enable it by default. You can enable it on the command line with the auth.local.0.prefer_scrypt parameter.

Prerequisites

  • Root access to your Access Server's console.

  • Connect directly to your server and run the commands from /usr/local/openvpn_as/scripts/.

Commands to configure local authentication

  • Set the default authentication mode to local:

    ./sacli --key "auth.module.type" --value "local" ConfigPut
./sacli start

  • Prefer the SCrypt password hashing method (on Access Server 2.11 and newer):

    ./sacli --key "auth.local.0.prefer_scrypt" --value "true" ConfigPut
./sacli start

  • Add a new user from scratch:

    ./sacli --user <USER_NAME> --key "type" --value "user_connect" UserPropPut

  • Set password for a user in local authentication mode:

    ./sacli --user <USER_NAME> --new_pass <PASSWORD> SetLocalPassword

  • Set the authentication mode for the user (on Access Server 2.10 and newer):

    ./sacli --user <USER> --key "user_auth_type" --value "local" UserPropPut

  • Remove password for a user in local authentication mode:

    ./sacli --user <USER_NAME> RemoveLocalPassword

  • Remove all user properties to delete the user:

    ./sacli --user <USER_OR_GROUP> UserPropDelAll

For more information, refer to Managing user and group properties from command line.

Important

On Access Server 2.9 and older, the openvpn bootstrap user is an exception to the local authentication process. This user is created during installation and uses PAM for authentication. It also displays with your users in the Admin Web UI. You can alter or disable this user at any time, but the function sacli SetLocalPassword doesn’t work for this user. To set a password for the user, see the PAM authentication information below. On Access Server 2.10 and newer, Access Server creates the openvpn user as an administrative user in the local database.

In this section:
See also: