3 # OpenVPN PAM AUTHENTICATON
4 # This script can be used to add PAM-based authentication
5 # to OpenVPN 2.0. The OpenVPN client must provide
6 # a username/password, using the --auth-user-pass directive.
7 # The OpenVPN server should specify --auth-user-pass-verify
8 # with this script as the argument and the 'via-file' method
9 # specified. The server can also optionally specify
10 # --client-cert-not-required and/or --username-as-common-name.
13 # Return success or failure status based on whether or not a
14 # given username/password authenticates using PAM.
15 # Caller should write username/password as two lines in a file
16 # which is passed to this script as a command line argument.
19 # * Requires Authen::PAM module, which may also
20 # require the pam-devel package.
21 # * May need to be run as root in order to
22 # access username/password file.
25 # * This script is provided mostly as a demonstration of the
26 # --auth-user-pass-verify script capability in OpenVPN.
27 # For real world usage, see the auth-pam module in the plugin
33 # This "conversation function" will pass
34 # $password to PAM when it asks for it.
43 $ans = $password if $msg =~ /[Pp]assword/;
45 push @res, (PAM_SUCCESS
(),$ans);
47 push @res, PAM_SUCCESS
();
51 # Identify service type to PAM
54 # Get username/password from file
56 if ($ARG = shift @ARGV) {
57 if (!open (UPFILE
, "<$ARG")) {
58 print "Could not open username/password file: $ARG\n";
62 print "No username/password file specified on command line\n";
69 if (!$username || !$password) {
70 print "Username/password not found in file: $ARG\n";
79 # Initialize PAM object
81 if (!ref($pamh = new Authen
::PAM
($service, $username, \
&my_conv_func
))) {
82 print "Authen::PAM init failed\n";
86 # Authenticate with PAM
88 $res = $pamh->pam_authenticate;
90 # Return success or failure
92 if ($res == PAM_SUCCESS
()) {
95 print "Auth '$username' failed, PAM said: ", $pamh->pam_strerror($res), "\n";