mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-11-28 04:03:51 +08:00
34cb9132ef
Suitable for mature project. root - administrative stuff doc - documents src - sources tests - tests distro - distro specific files sample - samples SIDE EFFECT: many changes to rpm spec. Signed-off-by: Alon Bar-Lev <alon.barlev@gmail.com> Acked-by: Adriaan de Jong <dejong@fox-it.com> Signed-off-by: David Sommerseth <davids@redhat.com>
98 lines
2.4 KiB
Perl
Executable File
98 lines
2.4 KiB
Perl
Executable File
#!/usr/bin/perl -t
|
|
|
|
# OpenVPN PAM AUTHENTICATON
|
|
# This script can be used to add PAM-based authentication
|
|
# to OpenVPN 2.0. The OpenVPN client must provide
|
|
# a username/password, using the --auth-user-pass directive.
|
|
# The OpenVPN server should specify --auth-user-pass-verify
|
|
# with this script as the argument and the 'via-file' method
|
|
# specified. The server can also optionally specify
|
|
# --client-cert-not-required and/or --username-as-common-name.
|
|
|
|
# SCRIPT OPERATION
|
|
# Return success or failure status based on whether or not a
|
|
# given username/password authenticates using PAM.
|
|
# Caller should write username/password as two lines in a file
|
|
# which is passed to this script as a command line argument.
|
|
|
|
# CAVEATS
|
|
# * Requires Authen::PAM module, which may also
|
|
# require the pam-devel package.
|
|
# * May need to be run as root in order to
|
|
# access username/password file.
|
|
|
|
# NOTES
|
|
# * This script is provided mostly as a demonstration of the
|
|
# --auth-user-pass-verify script capability in OpenVPN.
|
|
# For real world usage, see the auth-pam module in the plugin
|
|
# folder.
|
|
|
|
use Authen::PAM;
|
|
use POSIX;
|
|
|
|
# This "conversation function" will pass
|
|
# $password to PAM when it asks for it.
|
|
|
|
sub my_conv_func {
|
|
my @res;
|
|
while ( @_ ) {
|
|
my $code = shift;
|
|
my $msg = shift;
|
|
my $ans = "";
|
|
|
|
$ans = $password if $msg =~ /[Pp]assword/;
|
|
|
|
push @res, (PAM_SUCCESS(),$ans);
|
|
}
|
|
push @res, PAM_SUCCESS();
|
|
return @res;
|
|
}
|
|
|
|
# Identify service type to PAM
|
|
$service = "login";
|
|
|
|
# Get username/password from file
|
|
|
|
if ($ARG = shift @ARGV) {
|
|
if (!open (UPFILE, "<$ARG")) {
|
|
print "Could not open username/password file: $ARG\n";
|
|
exit 1;
|
|
}
|
|
} else {
|
|
print "No username/password file specified on command line\n";
|
|
exit 1;
|
|
}
|
|
|
|
$username = <UPFILE>;
|
|
$password = <UPFILE>;
|
|
|
|
if (!$username || !$password) {
|
|
print "Username/password not found in file: $ARG\n";
|
|
exit 1;
|
|
}
|
|
|
|
chomp $username;
|
|
chomp $password;
|
|
|
|
close (UPFILE);
|
|
|
|
# Initialize PAM object
|
|
|
|
if (!ref($pamh = new Authen::PAM($service, $username, \&my_conv_func))) {
|
|
print "Authen::PAM init failed\n";
|
|
exit 1;
|
|
}
|
|
|
|
# Authenticate with PAM
|
|
|
|
$res = $pamh->pam_authenticate;
|
|
|
|
# Return success or failure
|
|
|
|
if ($res == PAM_SUCCESS()) {
|
|
exit 0;
|
|
} else {
|
|
print "Auth '$username' failed, PAM said: ", $pamh->pam_strerror($res), "\n";
|
|
exit 1;
|
|
}
|