diff options
author | Arne Schwabe <arne@rfc2549.org> | 2012-07-21 01:11:36 +0200 |
---|---|---|
committer | Arne Schwabe <arne@rfc2549.org> | 2012-07-21 01:11:36 +0200 |
commit | 23a783836e5765514c85f83a510b9225a43cdfc1 (patch) | |
tree | 89efceeb468bc7c755a6db9f53a63aa993e48068 /openvpn/src/plugins/auth-pam/README.auth-pam | |
parent | 249cbf6d60929332f049468b40f4459167916ed1 (diff) |
Update openvpn to Version 2.3_alpha3
--HG--
rename : openvpn/src/plugins/README => openvpn/doc/README.plugins
rename : openvpn/src/plugins/defer/README => openvpn/sample/sample-plugins/defer/README
rename : openvpn/src/plugins/defer/build => openvpn/sample/sample-plugins/defer/build
rename : openvpn/src/plugins/defer/simple.c => openvpn/sample/sample-plugins/defer/simple.c
rename : openvpn/src/plugins/examples/simple.def => openvpn/sample/sample-plugins/defer/simple.def
rename : openvpn/src/plugins/defer/winbuild => openvpn/sample/sample-plugins/defer/winbuild
rename : openvpn/src/plugins/examples/build => openvpn/sample/sample-plugins/log/build
rename : openvpn/src/plugins/examples/log.c => openvpn/sample/sample-plugins/log/log.c
rename : openvpn/src/plugins/examples/log_v3.c => openvpn/sample/sample-plugins/log/log_v3.c
rename : openvpn/src/plugins/examples/winbuild => openvpn/sample/sample-plugins/log/winbuild
rename : openvpn/src/plugins/examples/README => openvpn/sample/sample-plugins/simple/README
rename : openvpn/src/plugins/examples/build => openvpn/sample/sample-plugins/simple/build
rename : openvpn/src/plugins/examples/simple.c => openvpn/sample/sample-plugins/simple/simple.c
rename : openvpn/src/plugins/examples/simple.def => openvpn/sample/sample-plugins/simple/simple.def
rename : openvpn/src/plugins/examples/winbuild => openvpn/sample/sample-plugins/simple/winbuild
rename : openvpn/src/plugins/auth-pam/README => openvpn/src/plugins/auth-pam/README.auth-pam
rename : openvpn/src/plugins/down-root/README => openvpn/src/plugins/down-root/README.down-root
Diffstat (limited to 'openvpn/src/plugins/auth-pam/README.auth-pam')
-rw-r--r-- | openvpn/src/plugins/auth-pam/README.auth-pam | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/openvpn/src/plugins/auth-pam/README.auth-pam b/openvpn/src/plugins/auth-pam/README.auth-pam new file mode 100644 index 00000000..e1236902 --- /dev/null +++ b/openvpn/src/plugins/auth-pam/README.auth-pam @@ -0,0 +1,74 @@ +openvpn-auth-pam + +SYNOPSIS + +The openvpn-auth-pam module implements username/password +authentication via PAM, and essentially allows any authentication +method supported by PAM (such as LDAP, RADIUS, or Linux Shadow +passwords) to be used with OpenVPN. While PAM supports +username/password authentication, this can be combined with X509 +certificates to provide two indepedent levels of authentication. + +This module uses a split privilege execution model which will +function even if you drop openvpn daemon privileges using the user, +group, or chroot directives. + +BUILD + +To build openvpn-auth-pam, you will need to have the pam-devel +package installed. + +Build with the "make" command. The module will be named +openvpn-auth-pam.so + +USAGE + +To use this plugin module, add to your OpenVPN config file: + + plugin openvpn-auth-pam.so service-type + +The required service-type parameter corresponds to +the PAM service definition file usually found +in /etc/pam.d. + +This plugin also supports the usage of a list of name/value +pairs to answer PAM module queries. + +For example: + + plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD" + +tells auth-pam to (a) use the "login" PAM module, (b) answer a +"login" query with the username given by the OpenVPN client, and +(c) answer a "password" query with the password given by the +OpenVPN client. This provides flexibility in dealing with the different +types of query strings which different PAM modules might generate. +For example, suppose you were using a PAM module called +"test" which queried for "name" rather than "login": + + plugin openvpn-auth-pam.so "test name USERNAME password PASSWORD" + +While "USERNAME" "COMMONNAME" and "PASSWORD" are special strings which substitute +to client-supplied values, it is also possible to name literal values +to use as PAM module query responses. For example, suppose that the +login module queried for a third parameter, "domain" which +is to be answered with the constant value "mydomain.com": + + plugin openvpn-auth-pam.so "login login USERNAME password PASSWORD domain mydomain.com" + +The following OpenVPN directives can also influence +the operation of this plugin: + + client-cert-not-required + username-as-common-name + +Run OpenVPN with --verb 7 or higher to get debugging output from +this plugin, including the list of queries presented by the +underlying PAM module. This is a useful debugging tool to figure +out which queries a given PAM module is making, so that you can +craft the appropriate plugin directive to answer it. + +CAVEATS + +This module will only work on *nix systems which support PAM, +not Windows. |