evgeny-gridasov / openvpn-otp Goto Github PK

View Code? Open in Web Editor NEW

278.0 278.0 74.0 99 KB

OpenVPN OTP token support plugin

License: GNU General Public License v3.0

Shell 0.08% C 93.02% Makefile 1.86% M4 5.04%

openvpn-otp's People

Contributors

Stargazers

Watchers

Forkers

fredriklindberg x-itec shafer durzo dupsatou iskrant shengxinking danpopp ruslanloman ritsute eduncan911 loveshell calve fabn evsinev robintec warrior1724 universal-it-systems sirkubax gvsurenderreddy patrickhulce spasam mndambuki sbotman sergeydjam yakara-ltd liuqian1990 bmikaeli thewalkers guywyers longsube snowrider311 chipitsine brottus ttomek86 alexmenguy hellojinjie mgiay bestjie k0ste htang555 lapd-devops vidocq1102 ehardarson eddieeo qingchen1984 phreaker0 corbolais happysky2046 5l1v3r1 xeooon rahul67 kishorviswanathan chengdp investlab rusxakep ericchaves johnrvt suke99 sameerlike141 sy9876 chrischildressok doriancoding waterloo3122 spike77453 zenglongfeng kamalparyani gannino beto-hopee

openvpn-otp's Issues

Please include copy of Apache-2.0 license

The following files are licensed under Apache-2.0:

The Apache-2.0 license requires that a copy is given to "any other recipients of the Work or Derivative Works".
Please add a copy of the corresponding license file to this repository.

HOTP counter issue

Hello,
I'm trying to make this work with Google Authenticator and HOTP type and it looks like counter writed to /var/spool/openvpn/hotp-counters/* is calculated incorrectly - on every authentication attempt the counter is decremented(-1) instead of being incremented(+1). Could you please check this?

Thank you!

Optional PIN

I would like to vote to make the PIN optional. I use OTP daily with Google, AWS, etc. and none of them require a separate PIN. It's not a huge deal, but it would be great if the PIN could be optional.

Please include copy of APSL-2.0 license

The following files are licensed under APSL-2.0:

The APSL-2.0 license requires that a copy is distributed "with every copy of Source Code of Covered Code and documentation You distribute or Externally Deploy".
Please add a copy of the corresponding license file to this repository.

OTP-AUTH: authentication failed for username 'xxxxxxx', remote 10.0.19.23:47776

10.0.19.23:47776 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
OTP-AUTH: authentication failed for username 'zhaowei', remote 10.0.19.23:47776
10.0.19.23:47776 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
10.0.19.23:47776 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-otp.so
10.0.19.23:47776 TLS Auth Error: Auth Username/Password verification failed for peer
10.0.19.23:47776 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
10.0.19.23:47776 Peer Connection Initiated with [AF_INET]10.0.19.23:47776
10.0.19.23:47776 PUSH: Received control message: 'PUSH_REQUEST'
10.0.19.23:47776 Delayed exit in 5 seconds
10.0.19.23:47776 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
10.0.19.23:47776 Connection reset, restarting [0]
10.0.19.23:47776 SIGUSR1[soft,connection-reset] received, client-instance restarting
TCP connection established with [AF_INET]10.0.19.23:47810
10.0.19.23:47810 TLS: Initial packet from [AF_INET]10.0.19.23:47810, sid=6b61e65e f000465b

OTP-AUTH: authentication failed for username 'xxxx'

why

feature/auth-token support

Add support for connection renegotiation with auth-token support. This needs:
push "auth-token UNIQUE_TOKEN_VALUE" in the file/buffer for dynamic configuration data.

See: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

Support for SHA2

Hi,

SHA1 is being deprecated in most places. Are there plans to support SHA2?

Thanks!

LDAP Integration

Hi,
Not reporting a bug - more of a support request.
I have OpenVPN set up with LDAP authentication and now openvpn-otp - but I can only use one at a time.

plugin /usr/lib/openvpn/openvpn-otp.so "debug=1"
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"

Rather than having the PIN/password listed in the opt-secrets file I would rather they entered their LDAP password with their OTP token. Or enter their LDAP username and password first and then be prompted fort eh OTP. I can't see a way to do this so I would appreciate any feedback/discussion. Cheers,
jonny

Please make github releases for packaging purposes.

@evgeny-gridasov please add versioning to this project, this important for package maintainers. When I worked on #32 I tagged current master version of 1.0, may this a good start.
Thanks.

Yubikey support?

Hi, this work looks great! I'm looking to set up OpenVPN with both LDAP and Yubikey support (and optionally Google Auth). This plugin looks almost close enough for my needs. Is it possible to use with a Yubikey directly, or would more development be necessary? If work is needed, would it be easier to execute an external script (which I already have working) with the username + OTP to return valid or not?

Plaintext PIN/password

It's a bit disappointing to see plaintext password storage in 2021, eg:

alice otp totp:sha1:base32:46HV5FIYE33TKWYP:5uP3rH4x0r:xxx *

It should be relatively simple to shim in crypt-compatible hashing, eg:

alice otp totp:sha1:base32:46HV5FIYE33TKWYP:$2y$10$HM6II7ESXVFq1XaylSa1R.8rNEhhlY4r74tRNFxIzWt94wyjJlDFW:xxx *

Docker build

To ease building package to each distribution, below a sample docker debian:latest compilation workflow. Can be extend to other system. Tested with Debian (buster) and Ubuntu (focal).

$ git clone https://github.com/evgeny-gridasov/openvpn-otp
Debian:
$ docker run -v $(pwd)/openvpn-otp:/openvpn-otp -it debian bash
Ubuntu:
$ docker run -v $(pwd)/openvpn-otp:/openvpn-otp -it ubuntu bash
# apt update
# apt upgrade
# apt install openvpn autoconf automake libtool libssl-dev make
# cd /openvpn-otp
# ./autogen.sh
# ./configure --prefix=/usr --disable-dependency-tracking
# make install
# ls src/.libs/openvpn-otp.*
src/.libs/openvpn-otp.la  src/.libs/openvpn-otp.lai  src/.libs/openvpn-otp.so
$ mkdir -p /usr/lib/openvpn/
$ cp src/.libs/openvpn-otp.* /usr/lib/openvpn/

Bind OTP to a certificate and/or a keys for a specific client

So I am a no expert on OpenVPN I just followed this nice tutorial to set my VPN https://www.digitalocean.com/community/tutorials/how-to-set-up-an-openvpn-server-on-ubuntu-14-04 and then added OTP support via your plugin. Everything works great. However, I have notice one issue. I would like to use an OTP only on a certain key or certificate for a given client, currently the configuration in otp-secrets is kind of global and can unlock every key and certificate for a given client. Here is an example of what i mean:

Lets say we want to have 2 users on our VPN called of course Alice and Bob. So we generate a certificate for each of them and we distribute alice.crt and alice.key to Alice and give bob.crt and bob.key to Bob. Then we crate an OTP entry for Bob and Alice in otp-secrets and they can login with their TOTPs using Google Authenticator. Great. However, if for some reason Alice gets a hold of bob.crt and bob.key she can still use her TOTP and not Bob's one to authenticate. So IMHO this is an issue and the TOTP secret in the otp-secrets file should only be bound to a certificate and a key. Or at least we should be able to specify for which user in the otp-secrets which certificates are available.

Client compatibility

This looks really interesting!
Before I upgrade my server though, I would like to know:
Does each client have to support this login method specifically or is it delivered through a generic password prompt?
I access my server via the openvpn android app a lot so this would need to be compatible for me.
Thanks for clarifing!

freebsd support?

Will this work on freebsd?

SELinux policy for CentOS7

Below is the SELinux policy I had to implement for CentOS7 which differs from what is found within the README. I was running the targeted policy.

allow openvpn_t pppd_etc_t:dir search;
allow openvpn_t pppd_etc_t:file { read getattr open };

Below also works.

$ yum install policycoreutils-python \
    selinux-policy-devel
$ cat - <<EOF > openvpn_otp.te
module openvpn_otp 1.0;

require {
        type openvpn_t;
        type pppd_etc_t;
        class dir { search getattr open };
        class file { ioctl lock read getattr open };
}

#============= openvpn_t ==============
read_files_pattern(openvpn_t, pppd_etc_t, pppd_etc_t)
EOF
$ make -f /usr/share/selinux/devel/Makefile openvpn_otp.pp
$ semodule --install openvpn_otp.pp

Compatible with user key files

I managed to install this plugin to my server but now I cannot log in while it is enabled. Could it be that otp does not work alongside with user key files?

Or maybe I am doing something wrong with the google auth key.
I understand from the readme, that in the /etc/ppp/otp-secrets file the key needs to be put in base32 format.
What about in the google auth app? base32 or plain?
Also, does the key need to have a specific length?

Scratch codes

Hello,

Is there a way to support scratch codes generated by google authenticator?

tls-auth with otp

Is it possible to use openvpn-otp plugin with certificate based auth (tls-auth)

openssl-1.1.0 not supported

/tmp/cc6coz4M.o: In function `main':
/*/xxx/openvpn-otp/conftest.c:34: undefined reference to `HMAC_CTX_init'
collect2: error: ld returned 1 exit status
configure:16580: $? = 1

HMAC_CTX_init() was replaced with HMAC_CTX_reset() in OpenSSL versions 1.1.0.

Rejects passwords

Hello,

I'm trying to set this up on pfSense. I managed to get it compiled and loaded, but all I'm ever getting are failed authentications. Is there some way to increase log verbosity so I can see what's going on? It would be very useful if this plugin could log (temporarily) what passwords it expects and which ones it receives.

Thanks!

disable OTP for a given user

It would be nice to disable OTP for a given user.

For example in otp-secrets:
myuser otp disabled *

Thank you.

'reneg-sec 0' is not a good idea, and is not necessary in OpenVPN >= 2.4

Setting your tunnel to never renegotiate is a security problem for long-running tunnels, and OpenVPN added the auth-gen-token config parameter specifically for cases like OTP authentication. In short, after authentication OpenVPN will generate a token to be used for renegotiation in place of re-sending the username and password.

Please add a mention of auth-gen-token for OpenVPN >= 2.4 in the README.

Add option to skip token auth and rely on cert auth for specific users?

Hello!

First of all, thanks for the plugin and all the work you're putting into it. It's much appreciated.

With that being said, I'd like to ask if it would be possible for you to add an option (e.g. in the otp_secrets file) that would allow me to tell the plugin that this particular user doesn't require token auth. The thing is, I have a bunch of different devices connecting to my server. Some of them are other servers and there's no way for me to enter OTPs when they connect to the VPN. OTOH, I have devices like my phone that would greatly benefit from OTPs.

In any case, thanks again for the plugin and have a nice day :).

Various `HMAC_*` functions are deprecated since OpenSSL 3.0

Compiling openvpn-otp against OpenSSL 3.0 results in various deprecation warnings:

otp.c: In function 'otp_verify':
otp.c:415:13: warning: 'HMAC_CTX_new' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  415 |             HMAC_CTX* hmac = HMAC_CTX_new();
      |             ^~~~~~~~
In file included from otp.c:22:
/usr/include/openssl/hmac.h:33:33: note: declared here
   33 | OSSL_DEPRECATEDIN_3_0 HMAC_CTX *HMAC_CTX_new(void);
      |                                 ^~~~~~~~~~~~
otp.c:440:17: warning: 'HMAC_CTX_reset' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  440 |                 HMAC_CTX_reset(hmac);
      |                 ^~~~~~~~~~~~~~
/usr/include/openssl/hmac.h:34:27: note: declared here
   34 | OSSL_DEPRECATEDIN_3_0 int HMAC_CTX_reset(HMAC_CTX *ctx);
      |                           ^~~~~~~~~~~~~~
otp.c:441:17: warning: 'HMAC_Init_ex' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  441 |                 HMAC_Init_ex(hmac, otp_key, key_len, otp_digest, NULL);
      |                 ^~~~~~~~~~~~
/usr/include/openssl/hmac.h:43:27: note: declared here
   43 | OSSL_DEPRECATEDIN_3_0 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
      |                           ^~~~~~~~~~~~
otp.c:442:17: warning: 'HMAC_Update' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  442 |                 HMAC_Update(hmac, (uint8_t *)&Tn, sizeof(Tn));
      |                 ^~~~~~~~~~~
/usr/include/openssl/hmac.h:45:27: note: declared here
   45 | OSSL_DEPRECATEDIN_3_0 int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data,
      |                           ^~~~~~~~~~~
otp.c:443:17: warning: 'HMAC_Final' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  443 |                 HMAC_Final(hmac, mac, &maclen);
      |                 ^~~~~~~~~~
/usr/include/openssl/hmac.h:47:27: note: declared here
   47 | OSSL_DEPRECATEDIN_3_0 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md,
      |                           ^~~~~~~~~~
otp.c:466:13: warning: 'HMAC_CTX_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  466 |             HMAC_CTX_free(hmac);
      |             ^~~~~~~~~~~~~
/usr/include/openssl/hmac.h:35:28: note: declared here
   35 | OSSL_DEPRECATEDIN_3_0 void HMAC_CTX_free(HMAC_CTX *ctx);
      |                            ^~~~~~~~~~~~~
otp.c:471:13: warning: 'HMAC_CTX_new' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  471 |             HMAC_CTX* hmac = HMAC_CTX_new();
      |             ^~~~~~~~
/usr/include/openssl/hmac.h:33:33: note: declared here
   33 | OSSL_DEPRECATEDIN_3_0 HMAC_CTX *HMAC_CTX_new(void);
      |                                 ^~~~~~~~~~~~
otp.c:493:19: warning: 'HMAC_CTX_reset' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  493 |                   HMAC_CTX_reset(hmac);
      |                   ^~~~~~~~~~~~~~
/usr/include/openssl/hmac.h:34:27: note: declared here
   34 | OSSL_DEPRECATEDIN_3_0 int HMAC_CTX_reset(HMAC_CTX *ctx);
      |                           ^~~~~~~~~~~~~~
otp.c:494:19: warning: 'HMAC_Init_ex' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  494 |                   HMAC_Init_ex(hmac, otp_key, key_len, otp_digest, NULL);
      |                   ^~~~~~~~~~~~
/usr/include/openssl/hmac.h:43:27: note: declared here
   43 | OSSL_DEPRECATEDIN_3_0 int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len,
      |                           ^~~~~~~~~~~~
otp.c:495:19: warning: 'HMAC_Update' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  495 |                   HMAC_Update(hmac, (uint8_t *)&Tn, sizeof(Tn));
      |                   ^~~~~~~~~~~
/usr/include/openssl/hmac.h:45:27: note: declared here
   45 | OSSL_DEPRECATEDIN_3_0 int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data,
      |                           ^~~~~~~~~~~
otp.c:496:19: warning: 'HMAC_Final' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  496 |                   HMAC_Final(hmac, mac, &maclen);
      |                   ^~~~~~~~~~
/usr/include/openssl/hmac.h:47:27: note: declared here
   47 | OSSL_DEPRECATEDIN_3_0 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md,
      |                           ^~~~~~~~~~
otp.c:521:13: warning: 'HMAC_CTX_free' is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
  521 |             HMAC_CTX_free(hmac);
      |             ^~~~~~~~~~~~~
/usr/include/openssl/hmac.h:35:28: note: declared here
   35 | OSSL_DEPRECATEDIN_3_0 void HMAC_CTX_free(HMAC_CTX *ctx);
      |                            ^~~~~~~~~~~~~

Extended Setup Process for the Google Authenticator Package

Have modified an existing OpenVPN install and followed the install process for openvpn-otp.

How do I generate values for the opt-secrets "key" (token?), and how do I link it to Google Authenticator on my phone?

Would like to use "sha1/base32 for Google Authenticator with a simple pin".

./configure fails on centos7 with 'OpenVPN headers missing'

The openvpn RPM shipped with EPEL for CentOS7 places openvpn-plugin.h in /usr/include.

# ./configure --prefix=/usr
...
checking openvpn/openvpn-plugin.h usability... no
checking openvpn/openvpn-plugin.h presence... no
checking for openvpn/openvpn-plugin.h... no
configure: error: OpenVPN headers missing

Quick fix

# rpm -ql openvpn |grep openvpn-plugin.h
/usr/include/openvpn-plugin.h
# mkdir /usr/include/openvpn
# ln -sf /usr/include/openvpn-plugin.h /usr/include/openvpn/

Should something like this be mentioned within the README?

Segmentation fault

Hi,

I tried your code on Debian 8.3 and compiled 1864afd as follows:
./autogen.sh
./configure --prefix=/usr
make
sudo make install

I have used the following libraries:

libssl-dev:amd64 1.0.1k-3+deb8u2
libtool 2.4.2-1.11
openvpn 2.3.4-5+deb8u1

When starting openvpn it terminates with a segmentation fault:

# openvpn /etc/openvpn/default/local.conf
...
Fri Feb  5 20:16:12 2016 us=916315 OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  1 2014
Fri Feb  5 20:16:12 2016 us=916357 library versions: OpenSSL 1.0.1k 8 Jan 2015, LZO 2.08 OTP-AUTH: otp_secrets=/etc/openvpn/default/otp-secrets
Segmentation fault

Openvpn has the following configuration:

plugin /usr/lib/openvpn/openvpn-otp.so otp_secrets=/etc/openvpn/otp-secrets

The otp-secrets file has:

ls -l /etc/openvpn/otp-secrets
-rwxrwxrwx 1 root root 54 Feb  5 20:29 /etc/openvpn/otp-secrets
cat /etc/openvpn/otp-secrets 
bob otp totp:sha1:base32:K7BYLIU5D2V33X6S:1234:xxx *

Any idea what's wrong here?

Thanks
Stefan

openvpn-otp didn't working on debian stretch

Good day. I receive this error after run openvpn server with plugin openvpn-otp:

/usr/sbin/openvpn --daemon ovpn-server --status /run/openvpn/server.status 10 --reneg-sec 86400  --cd /etc/openvpn --config /etc/openvpn/server.conf

/var/log/openvpn/openvpn-server.log <==
Mon Aug 17 15:15:18 2020 PLUGIN_INIT: could not load plugin shared object /usr/lib/openvpn/openvpn-otp.so: /usr/lib/openvpn/openvpn-otp.so: undefined symbol: EVP_MD_CTX_free: No such file or directory (errno=2)
Mon Aug 17 15:15:18 2020 Exiting due to fatal error

Server config:

/etc/openvpn/server.conf:
...
plugin "/usr/lib/openvpn/openvpn-otp.so" otp_secrets=/etc/openvpn/otp_secrets

Verion OS: Debian GNU/Linux 9.12 (stretch)
openvpn-otp build as debian package.

dpkg -l | grep openvp
ii  openvpn                       2.4.8-stretch0                    amd64        virtual private network daemon
ii  openvpn-otp                   1.0-1~stretch                     amd64        This plug-in adds support for time based OTP (totp) and HMAC

dpkg -L openvpn-otp
/usr/lib/openvpn/openvpn-otp.la
/usr/lib/openvpn/openvpn-otp.so

dpkg -l | grep ssl
ii  libssl-dev:amd64              1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - development files
ii  libssl-doc                    1.1.0l-1~deb9u1                   all          Secure Sockets Layer toolkit - development documentation
ii  libssl1.0.2:amd64             1.0.2u-1~deb9u1                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  libssl1.1:amd64               1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - shared libraries
ii  openssl                       1.1.0l-1~deb9u1                   amd64        Secure Sockets Layer toolkit - cryptographic utility


openssl version
OpenSSL 1.1.0l  10 Sep 2019

ldd /usr/lib/openvpn/openvpn-otp.so
	linux-vdso.so.1 (0x00007ffff62bd000)
	libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f8afdbd3000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f8afe17b000)

I saw old issue with comment - #29 (comment), but I try install different verions of openvpn server (2.4.9, 2.4.8, 2.4.7 - use repo from openvpn ) - error is the same.
I suspect that trouble with openssl, but I don't know how fix that.