[Openvpn-devel] Needing help with writing an easy-to-use Radius-Plugin for authentication

Discussion:

Marcus

2008-02-18 16:00:23 UTC

Hi Folks,

since pam doesn't work for me on ubuntu, as already stated on the
user-list, I decided to take a different approach towards
authentication. There is a python module called pyrad
(http://www.wiggy.net/code/pyrad/), which is able to authenticate a user
with a username and a password against a radius-server.

The goal is to put a line like
plugin /path/to/my-auth-script.py
in openvpn-server.conf and take the user + pass which the client
provides via the "auth-user-pass"-Directive in it's client.conf.

I already read the README file in the plugin folder of the OpenVPN
source distribution, and also browsed through the plugin.h-file but I'm
not that good in reading header-files.

An authentication-script could look something like this:

#!/usr/bin/python

import sys
import socket
import pyrad.packet
from pyrad.client import Client
from pyrad.dictionary import Dictionary

args = sys.argv[1:] # drop first entry (progpath)
if len(args) != 2:
raise SystemExit("expected two parameters (username and password)")

srv=Client(server="server_ip",
secret="some_s3cret",
dict=Dictionary("dictionary"))

req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,User_Name=sys.argv[1])

req["User-Password"]=req.PwCrypt(sys.argv[2])

req["NAS-IP-Address"] = "The_Nas_IP"
req["NAS-Port"] = 0
req["Service-Type"] = "Login-User"
req["NAS-Identifier"] = "openvpn"

try:
# print "Sending authentication request"
reply=srv.SendPacket(req)
except pyrad.client.Timeout:
print "RADIUS server does not reply"
sys.exit(1)
except socket.error, error:
print "Network error: " + error[1]
sys.exit(1)

if reply.code==pyrad.packet.AccessAccept:
sys.exit(0)
else:
sys.exit(1)

Can anyone tell me (pretty please with sugar on top) how to put this
together?
What I don't know yet is:
1. What is the script supposed to return? 0 for authenticated and 1 for
not authenticated?
2. How are arguments (username/password) passed to the plugin?
3. How can I use a python-script instead of a *.so-File or a perl-Script?

I hope it's not a big deal to get this set-up running.

I recognized, that easy authentication via a MS-IAS-Radius server IS an
issue in the openvpn-community. This solution would be very simple to
set up and I'd document it in the official wiki to share with the world,
in return.

Best regards, Marcus

My client.conf looks like this:

client
dev tun
proto udp
remote SOME_IP 1194
route-method exe
route-delay 2
resolv-retry infinite
nobind
persist-key
persist-tun

auth-user-pass
ca keys/ca.crt

comp-lzo
verb 3

Thibault Le Meur

2008-02-18 16:11:38 UTC

Permalink

Have you tried using Radius plugin ?
http://www.nongnu.org/radiusplugin/

Regards,
Thibault Le Meur

Marcus

2008-02-18 16:37:21 UTC

Permalink

Post by Thibault Le Meur
Have you tried using Radius plugin ?
http://www.nongnu.org/radiusplugin/

Yes, it works, but my Openvpn-Server is trying to establish accounting
according to logfile which doesnt work. My IAS-Server however gives me
an IAS_SUCCESS which is equal to "thumbs up".
Maybe I can disable accounting in that plugin somehow... any ideas?

Greetz,
Marcus

Giancarlo Razzolini

2008-02-18 16:13:09 UTC

Permalink

Post by Marcus
Hi Folks,
since pam doesn't work for me on ubuntu, as already stated on the
user-list, I decided to take a different approach towards
authentication. There is a python module called pyrad
(http://www.wiggy.net/code/pyrad/), which is able to authenticate a user
with a username and a password against a radius-server.
The goal is to put a line like
plugin /path/to/my-auth-script.py
in openvpn-server.conf and take the user + pass which the client
provides via the "auth-user-pass"-Directive in it's client.conf.
I already read the README file in the plugin folder of the OpenVPN
source distribution, and also browsed through the plugin.h-file but I'm
not that good in reading header-files.
#!/usr/bin/python
import sys
import socket
import pyrad.packet
from pyrad.client import Client
from pyrad.dictionary import Dictionary
args = sys.argv[1:] # drop first entry (progpath)
raise SystemExit("expected two parameters (username and password)")
srv=Client(server="server_ip",
secret="some_s3cret",
dict=Dictionary("dictionary"))
req=srv.CreateAuthPacket(code=pyrad.packet.AccessRequest,User_Name=sys.argv[1])
req["User-Password"]=req.PwCrypt(sys.argv[2])
req["NAS-IP-Address"] = "The_Nas_IP"
req["NAS-Port"] = 0
req["Service-Type"] = "Login-User"
req["NAS-Identifier"] = "openvpn"
# print "Sending authentication request"
reply=srv.SendPacket(req)
print "RADIUS server does not reply"
sys.exit(1)
print "Network error: " + error[1]
sys.exit(1)
sys.exit(0)
sys.exit(1)
Can anyone tell me (pretty please with sugar on top) how to put this
together?
1. What is the script supposed to return? 0 for authenticated and 1 for
not authenticated?
2. How are arguments (username/password) passed to the plugin?
3. How can I use a python-script instead of a *.so-File or a perl-Script?
I hope it's not a big deal to get this set-up running.
I recognized, that easy authentication via a MS-IAS-Radius server IS an
issue in the openvpn-community. This solution would be very simple to
set up and I'd document it in the official wiki to share with the world,
in return.
Best regards, Marcus
client
dev tun
proto udp
remote SOME_IP 1194
route-method exe
route-delay 2
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ca keys/ca.crt
comp-lzo
verb 3
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Openvpn-devel mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Marcus,

An openvpn auth plugin, intercepts the
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY callback, which is internal to
openvpn. So your plugin must be a shared library (.so) program that
"fits" with openvpn. This plugin uses the openvpn_plugin.h C header and,
as i'm aware of, can be written only in C and C++. I do not know any
other openvpn plugin written in other language. I do had written one
myself to make autentication directly from /etc/shadow files, as an
alternative to authenticate with PAM. See http://auth-passwd.sf.net. If
you want to use a .py script, it's much simpler to use the
auth-user-pass-verify that receive a script as argumen. this is script
is given a path to a temporary file that contain the username and the
password priveded by the client, one at a line. This is more insecure
than using a plugin, but for your case it might suit.

My regards,
--
Giancarlo Razzolini
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Ubuntu 6.10 Edgy Eft
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85

Faidon Liambotis

2008-02-19 04:17:05 UTC

Permalink

Post by Marcus
#!/usr/bin/python

Not really able to help you with your python script, but this is a
really simple perl script I've written in the past (2005) for the same
purpose.

It uses a simple configuration file format:
radius_host=radius.example.com
radius_port=1812
radius_secret=foobar

It only does the AA part of RADIUS plus it supports Framed-IP-Address,
in case you need it. Be warned that the latter is implemented in a
rather hackish way.

IIRC, there are other solutions to RADIUS authentication that are more
featureful. Haven't evaluated them though, the above works pretty well
for me.

Regards,
Faidon

Brane F. Gračnar

2008-02-18 16:24:55 UTC

Permalink

... you can also check openvpn_auth:
http://frost.ath.cx/software/openvpn_auth/

Best regards, Brane

Marcus

2008-02-18 16:59:36 UTC

Permalink

Post by Brane F. GraÄnar
http://frost.ath.cx/software/openvpn_auth/

Greetings to thee, Brane,
you are the author of that software if I am not mistaken.
I tried it already - alas with no success, although I "at least read the
whole goddamn configuration file" to the end" ;-)

I can start the deamon successfully. (Mind that "semaphores" doesn't
work, so I use "flock".)

I defined a "radius"-Service in the config-File:

$auth_backends = {
radius => {
driver => 'Radius',
sufficient => 1,
required => 1,
host => '134.2.239.234',
service => 'openvpn',
secret => 'mysecret',
use_nas_ipaddr => 1,
timeout => 2
}
};

And I installed the perl-plugins:

./bin/openvpn_authd.pl --list
Allow, AuthStruct, DBI, Deny, File, IMAP, Krb5, LDAP, PAM, POP3, Radius,
SASL

My auth_order looks like this:
$auth_order = ["radius"];

I also did steps 8 to 10 from the Readme.

But when I try step 11, something goes wrong.

11. Check if everything works...
export common_name="someuser.example.org"
export untrusted_ip="1.2.3.4"
export untrusted_port="3456"
export script_type="auth-user-pass-verify"

Here, the documentation is not clear to me. What are the exports for?
The client gives me an error, when i use the above values. (Maybe it's
stupid to use the above values?)

When I run
./bin/openvpn_authc -v /tmp/sample_auth.txt I get

Feb 17 17:56:17 ovpn openvpn_authd.pl: WARN: AuthDaemon.pm, line 262,
PRINT(): Catched output to STDOUT/STDERR: Use of uninitialized value in
concatenation (.) or string at
/usr/local/src/openvpn_auth-0.10/lib/Net/OpenVPN/Auth/Radius.pm line
124, <GEN1> line 6.
Feb 17 17:56:17 ovpn openvpn_authd.pl: WARN: AuthDaemon.pm, line 263,
PRINT(): This should not happen! Possible couses: Missing perl modules
(running in chroot? Define $extra_modules); OR BUG in your validation
functions, if you're using AuthStruct module; OR BUG in
openvpn_authd.pl/it's libraries.
Feb 17 17:56:22 ovpn openvpn_authd.pl: WARN: AuthDaemon.pm, line 140,
__ANON__(): Authentication timed out.

I probably got the settings for the radius wrong, what do you think?

Greetz, Marcus