Thursday, January 15, 2009

OpenBSD 4.x, OpenVPN, and Kerberos Authentication

OpenVPN works fairly well with OpenVPN. The one caveat being that OpenBSD does not have PAM support... making secondary authentication, using a user account, more complicated. It is possible to install /usr/ports/net/openvpn_bsdauth to use local user accounts, but what if you want a group certificate with authentication against a Windows Active Directory installation?

Since AD does have Kerberos support, it is possible.

1. Install OpenVPN from ports

2. Install the p5-Authen-Krb5-Simple perl module from ports (/usr/ports/security/p5-Authen-Krb5-Simple)

3. Add a script like so:
/etc/openvpn/krb5-auth.pl

#!/usr/bin/perl
use strict;
use Authen::Krb5::Simple;
# change the next variable to 1 to log errors to /tmp/autherror.txt
my $debug = 0;
my $user = $ENV{'username'};
my $pass = $ENV{'password'};
chomp ($user, $pass);
my $krb = Authen::Krb5::Simple->new([realm => 'YOURREALM.LOCAL']);
# Authenticate a user.
#
my $authen = $krb->authenticate($user, $pass);

unless($authen) {
my $errmsg = $krb->errstr();
if ($debug == 1) {
open ASD, ">/tmp/autherror.xt";
print ASD "User: $user authentication failed: $errmsg\n";
close ASD;
}
die "User: $user authentication failed: $errmsg\n";
}


Your script can be more complex than this, but this should work.

4. Add the following line to your client config:
auth-user-pass


5. Add the following lines to your server config:
auth-user-pass-verify /etc/openvpn/krb5-auth.pl via-env

6. create /etc/kerberosV/krb5.conf and add something along the lines of:

[libdefaults]
# Set the realm of this host here
default_realm = YOURREALM.LOCAL

# Maximum allowed time difference between KDC and this host
clockskew = 300

# Uncomment this if you run NAT on the client side of kauth.
# This may be considered a security issue though.
# no-addresses = yes

[realms]
YOURREALM.LOCAL = {
# Specify KDC here
kdc = mydomaincontroller.my.domain.local

# Administration server, used for creating users etc.
# admin_server = kerberos.my.domain
}


7. test kerberos:

kinit your_windows_username@YOUR_FQDN_WINDOWS_DOMAIN.IN_ALL_CAPS

If you get no error, run klist and you should see a ticket.

8. Make sure the time is accurate on your OpenBSD server.

1 comment:

Anonymous said...

Thanks a lot, it works!