On Tue, Jan 23, 2018 at 7:30 PM, Selva Nair <selva.n...@gmail.com> wrote: > Hi, > > On Tue, Jan 23, 2018 at 11:40 AM, Martin T <m4rtn...@gmail.com> wrote: >> Hi! >> >> I have configured OpenVPN server to use openvpn-plugin-auth-pam.so >> plugin. Configuration statement for this is following: >> >> plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so >> /etc/pam.d/openvpn >> >> In /etc/pam.d/openvpn configuration-file, I use pam_access.so plugin. >> It requires client IPv4/IPv6 address. However, according to >> pam_access.so plugin debug log, it does not receive it: > > IIRC, auth_pam plugin does not set PAM_RHOST, so hostname won't be available. > >> >> pam_access(openvpn:auth): cannot determine tty or remote hostname, >> using service openvpn >> >> Is it possible to fix this with configuration change? > > I do not think so -- unless you change the origins in auth.conf to > ALL, disabling the remote host check which is not what you want. > > Selva
Selva, thanks for reply! My end goal was to use different authentication methods for OpenVPN clients from different networks. If openvpn-plugin-auth-pam.so would set PAM_RHOST, then I could do something like this: auth requisite pam_nologin.so # If OpenVPN client is from certain network, then skip the YubiKey check. auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf auth [success=done new_authtok_reqd=ok default=die] pam_yubico.so id=31121 authfile=/etc/yubikey auth include common-auth Maybe there is some other way to achieve this? Martin ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
