I'm setting up a PAM service for OpenVPN, such that the OpenVPN PAM module can authenticate a username/password to an external service that I will implement using a shell script.
The OpenVPN PAM module states approximately the following documentation:
plugin openvpn-auth-pam.so "openvpn name USERNAME password PASSWORD"
While "USERNAME" and "PASSWORD" are special strings which substitute to client-supplied values, it is also possible to name literal values to use as PAM module query responses. For example, suppose that the login module queried for a third parameter, "domain" which is to be answered with the constant value "mydomain.com":
So now I created an openvpn PAM configuration in /etc/pam.d/openvpn:
auth required pam_exec.so expose_authtok /tmp/outputenv
Which got me as far as executing a script and getting the password from stdin, brilliant, I'm 95% of the way there. But I don't have access to the username. I've checked the environment variables and anything I can think of, but I can't work out how I could pass BOTH the username AND password to my script for external authentication.
Ideas?
The full answer to this question is posted here:
https://forums.openvpn.net/post13002.html#p13002
Basically the example in the PAM module documentation for openvpn leads you astray here, it uses:
But the correct configuration for openvpn's server.config is:
If you include the extra parameters shown in the documentation example it will never write out PAM_USER to the environment variables as is expected based on the documentation of pam_exec.so.