Two Factor Authentication for Free

RSA is a ripoff, they’re following in the footsteps of Microsoft and unfortunately many companies believe RSA is the only way to secure their network.

They’re wrong, and here’s why:

OpenVPN + Server Cert/Key + Pam Authentication Module = FREE two factor authentication.

First, let’s define two factor authentication: It’s nothing more than two requirements when you logon, tunnel or gain access to a network. For example you have a “pincode” or “password” that never changes. In addition you might have a key chain “token” that is constantly changing. Access requires both, and because the key chain token is always changing it becomes very difficult for the wrong person to gain access.

Little background on industry: The Citrix Access Gateway is probably the industry standard at providing a single factor authentication gateway for a small company. I’m guessing most companies concerned with security have something very similar. The gateway or “CAG” sits behind the companies firewall and accepts authentication requests. That’s the first factor, the second is generally a token like system requiring users to carry around a silly key chain. Why? If a user has a private certificate of authority AND a username/password access is still two factor.

What absolutely amazes me is that there are open source applications that can provide 2 factor authentication for FREE.

Here’s what a working OpenVPN server config looks like using PAM:

proto udp
;proto tcp
port 1194
dev tap
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key
#Define the ip address for the tap0 virtual device
ifconfig-pool-persist /etc/openvpn/ipp.txt
#route to be established on the server
route-up “route delete -net”
route-up “route add -net tap0”

#Allow Clients to talk to one another

#Push the same ping to the server….
push “ping 10”
push “ping-restart 60”
push “route” #route to another subnet
push “route” #route to another
push “route” #route to one more
push “route” #route to and another
push “route” #route to some place
push “route” #route to northern US
push “route” #route to more north
push “dhcp-option DOMAIN” #push the DNS domain suffix

status-version 2
status /var/log/openvpn-status.log
verb 5
# Keep tunnel open with ping every 10 Seconds, restart ever 120 Seconds
keepalive 10 120

plugin /usr/share/openvpn/plugin/lib/ login

I’m going to skip a whole bunch of steps to get this working (see but if the server is running with the above configuration (with no errors) you’ll have a two factor authentication: 1). Using the signed Certificate of Authority and 2). The username/password on the Linux box access by the module above.

Win XP/Vista/32bit/64bit Client Setup:

1). Install OpenVPN GUI v1.0.3
2). Load the ca.crt and client.opvn file.

Here’s an example of the client.ovpn file:

dev tap

;proto tcp
proto udp
remote 1194 ( should be the public ip of the server)
resolv-retry infinite
ca ca.crt
verb 3
mute 20

Save yourself $10k or $20k, learn OpenVPN.


3 thoughts on “Two Factor Authentication for Free

  1. Someone steals your laptop with the cert already on it and recovers the password as Windows keeps that oh so secret (or people write it on the sticky) and your two-fold authentication just went to crap. SecurdID is most often setup as a PIN + an alrgorthmic number that expires every 60 seconds. Steal the laptop, hack the password, you still aren’t in as you stil need the SecurID and PIN. Even if the SecurID is chained to the laptop, the PIN can vary between 4 and 8 digits and you don’t know if the PIN goes before the token digits or after. You are not cracking that. Your idea has merrit on being cheap, but cheap only gets you so far.

  2. Apparently “Anonymous” doesn’t want to be known. He also doesn’t realize that the key chain is just as static as a post-it note. If a user has both factors they’ll get in.

    He also neglects to mention Open Radius as another free alternative if someone wants to mimic the constantly changing keychain.


Comments are closed.