openvpn-auth-passwd
SYNOPSIS
The openvpn-auth-passwd module implements username/password authentication via the passwd files and, in the systems with shadow support, we use it. It is provided for systems that don't have PAM.
This module uses a split privilege execution model, the same used in the auth-pam and down-root plugins. That is, even if you drop the openvpn daemon privileges using the user, group, or chroot directives, the plugin still work.
As the normal behaviour of the plugin is to authenticate any user in the shadow or passwd files, you can specify an optional parameter that is the name of any group. The members of this group must be all the users you want to authenticate. The group can be the primary or the secondary group of the user, it does not matter. This way you are adding another authentication layer, as the password of the user is never checked, if he/her do not belong to the specified group. If no parameter is passed, then the plugin authenticate any user.
BUILD
To build openvpn-auth-passwd on systems that use shadow, you will need to have the shadow suite and it's devel headers installed.
On GNU systems build with the "make" command. In other systems you should install the GNU make, if you don't have it, and type "gmake". The module will be named openvpn-auth-passwd.so
USAGE
To use this plugin module, add to your OpenVPN config file:
plugin openvpn-auth-passwd.so groupname
With groupname being an optional parameter.
Run OpenVPN with --verb 7 or higher to get debugging output from this plugin.
CAVEATS
This module is supposed to work on any *nix system but, more testing should be done. Right now it works on Linux and OpenBSD.
There is no portable way to check if you are using the shadow suite or not. And, as we are not using autoconf to do this, you must manually set the USE_SHADOW directive in the Makefile. We assume by default that you are using it (the majority of linux distributions and sun). If you aren't (the majority of *bsd systems and others), you should set it to 0.