Showing posts with label openvpn. Show all posts
Showing posts with label openvpn. Show all posts

Thursday, January 15, 2009

OpenBSD 4.x, OpenVPN, and Kerberos Authentication

OpenVPN works fairly well with OpenVPN. The one caveat being that OpenBSD does not have PAM support... making secondary authentication, using a user account, more complicated. It is possible to install /usr/ports/net/openvpn_bsdauth to use local user accounts, but what if you want a group certificate with authentication against a Windows Active Directory installation?

Since AD does have Kerberos support, it is possible.

1. Install OpenVPN from ports

2. Install the p5-Authen-Krb5-Simple perl module from ports (/usr/ports/security/p5-Authen-Krb5-Simple)

3. Add a script like so:
/etc/openvpn/krb5-auth.pl

#!/usr/bin/perl
use strict;
use Authen::Krb5::Simple;
# change the next variable to 1 to log errors to /tmp/autherror.txt
my $debug = 0;
my $user = $ENV{'username'};
my $pass = $ENV{'password'};
chomp ($user, $pass);
my $krb = Authen::Krb5::Simple->new([realm => 'YOURREALM.LOCAL']);
# Authenticate a user.
#
my $authen = $krb->authenticate($user, $pass);

unless($authen) {
my $errmsg = $krb->errstr();
if ($debug == 1) {
open ASD, ">/tmp/autherror.xt";
print ASD "User: $user authentication failed: $errmsg\n";
close ASD;
}
die "User: $user authentication failed: $errmsg\n";
}


Your script can be more complex than this, but this should work.

4. Add the following line to your client config:
auth-user-pass


5. Add the following lines to your server config:
auth-user-pass-verify /etc/openvpn/krb5-auth.pl via-env

6. create /etc/kerberosV/krb5.conf and add something along the lines of:

[libdefaults]
# Set the realm of this host here
default_realm = YOURREALM.LOCAL

# Maximum allowed time difference between KDC and this host
clockskew = 300

# Uncomment this if you run NAT on the client side of kauth.
# This may be considered a security issue though.
# no-addresses = yes

[realms]
YOURREALM.LOCAL = {
# Specify KDC here
kdc = mydomaincontroller.my.domain.local

# Administration server, used for creating users etc.
# admin_server = kerberos.my.domain
}


7. test kerberos:

kinit your_windows_username@YOUR_FQDN_WINDOWS_DOMAIN.IN_ALL_CAPS

If you get no error, run klist and you should see a ticket.

8. Make sure the time is accurate on your OpenBSD server.
Posted by at 1 comment:
Labels: , , ,
Subscribe to: Comments (Atom)