# OpenVPN - Pam authenciation - but restrict to group [SOLVED]

## hanj

Hello

I just recently got openVPN to work with openvpn-auth-pam.so, but I'd like to restrict checking users in a specific group only. Any ideas on how to do this??

For example I have user1, user2 and user3.. and they are all apart of the vpn group I created. I want authentication to work only for user1, user2 and user3 only.. root login and any other system logins will fail.

I'm currently using net-misc/openvpn-2.0.6.

Thanks!

hanji

----------

## hanj

Ok.. I have this working now.

I created a group called vpn, then created a file in /etc/security/vpn.group.allowed and added the value 'vpn' in there. Next, I copied /etc/pam.d/system-auth to /etc/pam.d/ovpn and added the following:

```
#%PAM-1.0

auth       required     pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/vpn.group.allowed

auth       required     pam_env.so

auth       sufficient   pam_unix.so try_first_pass likeauth nullok

auth       required     pam_deny.so

account    required     pam_unix.so

# This can be used only if you enabled the cracklib USE flag

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3

# # This can be used only if you enabled the cracklib USE flag

password   sufficient   pam_unix.so try_first_pass use_authtok nullok md5 shadow

# # This can be used only if you enabled the !cracklib USE flag

# # password   sufficient pam_unix.so try_first_pass nullok md5 shadow

password   required     pam_deny.so

#

session    required     pam_limits.so

session    required     pam_unix.so
```

Now, only users in the vpn group can authenticate. I wrote up a small how-to about OpenVPN and dual auth (key-based and pam) here:

http://www.uno-code.com/?q=node/120

hanji

----------

