New policy : login+certs+otp (forced) (#58)

Create a new policy certificate-otp NethServer/dev#6112
NethServer · Apr 10, 2020 · 5237938 · 5237938
1 parent 1bd364e
commit 5237938
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 3 deletions.
diff --git a/nethserver-openvpn.spec b/nethserver-openvpn.spec
@@ -10,6 +10,7 @@ BuildArch: noarch
 Requires: openvpn, bridge-utils
 Requires: nethserver-firewall-base
 Requires: nethserver-vpn-ui
+Requires: pam_oath
 
 BuildRequires: perl
 BuildRequires: nethserver-devtools 
@@ -215,5 +216,3 @@ echo "%doc COPYING" >> %{name}-%{version}-filelist
 - VPN: add support for OpenVPN net2net - Feature #1958 [NethServer]
 - VPN: support for OpenVPN roadwarrior - Feature #1956 [NethServer]
 - VPN - Feature #1763 [NethServer]
-
-
diff --git a/root/etc/e-smith/templates/etc/openvpn/host-to-net.conf/50security b/root/etc/e-smith/templates/etc/openvpn/host-to-net.conf/50security
@@ -14,6 +14,10 @@ if ($mode eq 'password') {
     $OUT.="plugin ${_libdir}/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/login\n";
 } elsif ($mode eq 'certificate') {
     $OUT.= "# Authentication: certificate\n";
+} elsif ( $mode eq 'certificate-otp') {
+    $OUT.= "# Authentication: certificate + OTP\n";
+    $OUT.= "reneg-sec 0\n";
+    $OUT.= "plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so /etc/pam.d/openvpn-certificate-otp\n";
 }
 
 my $digest = $openvpn{'Digest'} || '';

diff --git a/root/etc/pam.d/openvpn-certificate-otp b/root/etc/pam.d/openvpn-certificate-otp
@@ -0,0 +1,3 @@
+#%PAM-1.0
+auth    required    pam_oath.so usersfile=/etc/nethserver/otp.secret window=10 digits=6
+account required pam_permit.so
diff --git a/root/usr/libexec/nethserver/openvpn-local-client b/root/usr/libexec/nethserver/openvpn-local-client
@@ -54,7 +54,13 @@ my $mode = $openvpn->prop('AuthMode') || 'password';
 if ($mode eq 'password' or $mode eq 'password-certificate') {
     $OUT.="auth-user-pass\n";
 };
-if ($mode eq 'certificate' or $mode eq 'password-certificate') {
+
+if ($mode eq 'certificate-otp') {
+  $OUT.="auth-user-pass\n";
+  $OUT.="reneg-sec 0\n";
+}
+
+if ($mode ne 'password') {
     $OUT.= "# Authentication: certificate\n";
     $OUT .= "<cert>\n";
     $OUT .= cat("/var/lib/nethserver/certs/$name.crt");