Yubico Forum ...visit our web-store at 2008-11-26T16:47:46+01:00 https://forum.yubico.com/feed.php?f=12&t=81 2008-11-26T16:47:46+01:00 2008-11-26T16:47:46+01:00 https://forum.yubico.com/viewtopic.php?t=81&p=802#p802 <![CDATA[Re: YubiKey as a strong authentication device for VPN clients]]>
  • About this document:

The purpose of this document is to guide readers through the configuration steps to use two factor authentication for OpenVPN using YubiKey. This document assumes that the reader has advanced knowledge and experience in Linux system administration, particularly for how PAM authentication mechanism is configured on a Linux platform.

  • Prerequisites:

Successful configuration of the Yubico PAM module to support two factor authentication for OpenVPN has the following prerequisites:


  • Configuration:

There are two ways OpenVPN can be configured to support two factor authentication with YubiKey.

    1) OpenVPN Configuration without FreeRADIUS support:
    In this mode of configuration, OpenVPN server will be authenticating users by verifying username and user’s password against system password file “/etc/passwd” and verifying OTP (one time password generated from YubiKey) against Yubico’s OTP validation server.

    We assume that OpenVPN server is already installed on the server.

      1.1) Configuration of OpenVPN server to support PAM authentication:

        a) Edit the OpenVPN server configuration file “/etc/openvpn/server.conf” to add the following three lines to enable PAM modules for username and password authentication:

        plugin <Absolute path of “openvpn-auth-pam.so” file> <PAM configuration file name for OpenVPN>

        (For e.g.:
        plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn)

        client-cert-not-required

        username-as-common-name

        b) Edit the OpenVPN client configuration file “/etc/openvpn/client.conf” to add following line to configure OpenVPN client for prompting username and password:

        auth-user-pass

      1.2) Installation of pam_yubico module:

      Build instructions for pam_yubico are available in the README:

      http://code.google.com/p/yubico-c/sourc ... unk/README

      1.3) Configuration of pam_yubico module:

        a) Configuration for user and YubiKey PublicID mapping:

        There are two ways of user and YubiKey PublicID (token ID) mapping. It can be either done at administrative level or at individual user level.

          i) Administrative Level:

          In Administrative level, system administrators hold right to configure the user and YubiKey PublicID mapping. Administrators can achieve this by creating a new file that contains information about the username and the corresponding PublicIDs of YubiKey(s) assigned. This file contains user name that is allowed to connect to the system using RADIUS and the PublicID of the YubiKey(s) assigned to that particular user. A user can be assigned multiple YubiKeys and this multi key mapping is supported by this file. However, presently there is no logic coded to detect or prevent use of same YubiKey ID for multiple users.

          Each record in the file should begin on a new line. The parameters in each record are separated by “:” character similar to /etc/passwd.
          The contents of this file are as follows:

          <user name>:<YubiKey PublicID>:<YubiKey PublicID>: ….
          <user name>:<YubiKey PublicID >:<YubiKey PublicID>:…..

          e.g.:

          paul:indvnvlcbdre:ldvglinuddek
          simon:uturrufnjder:hjturefjtehv
          kurt:ertbhunjimko

          The mapping file must be created/updated manually before configuration of Yubico PAM module for OpenVPN authentication.

          • Configuration of modified pam_yubico.so module at administrative level:

          Append the following line to the beginning of /etc/pam.d/radiusd file:
          auth required pam_yubico.so id=16 debug authfile=<absolute path of the mapping file>

          After the above configuration changes, whenever a user connects to the server using any RADIUS client, the PAM authentication interface will pass the control to Yubico PAM module. The Yubico PAM module first checks the presence of authfile argument in PAM configuration. If authfile argument is present, it parses the corresponding mapping file and verifies the username with corresponding YubiKey PublicID as configured in the mapping file. If valid, the Yubico PAM module extracts the OTP string and sends it to the Yubico authentication server or else it reports failure. If authfile argument is present but the mapping file is not present at the provided path PAM module reports failure. After successful verification of OTP Yubico PAM module from the Yubico authentication server, a success code is returned.

          ii) User Level:

          Although, user level configuration of pam_yubico is possible, this might not be a desired configuration option in case of OpenVPN demon in most enterprise.

        b) Configuration of PAM modules for OpenVPN::

        To configure PAM modules for OpenVPN, create a file named “/etc/pam.d/openvpn” (file name must be one which is specified in “/etc/openvpn/server.conf “ along with “plugin” directive) and list all the PAM modules in this files accordingly.

      1.4) Test Setup:

      Our test environment is as follows:

        i) Operating System: Fedora release 8 (Werewolf)
        ii) OpenVPN Server : OpenVPN Version 2.0.9
        iii) Yubico PAM: pam_yubico Version 1.8
        iv) "/etc/pam.d/openvpn" file:

        auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
        auth include system-auth
        account required pam_nologin.so
        account include system-auth
        password include system-auth
        session include system-auth

      1.5) Testing the configuration:

      We have tested the pam_yubico configuration on following Linux sever platforms:

        a) Fedora 8:

          i) Operating system: Fedora release 8 (Werewolf)
          ii) OpenVPN Server : OpenVPN Version 2.0.9
          iii) Yubico PAM: pam_yubico Version 1.8

        b) Fedora 6:

          i) Operating system: Fedora Core release 6 (Zod)
          ii) OpenVPN Server: OpenVPN Version 2.0.9
          iii) Yubico PAM: pam_yubico version 1.8

      To test the configuration, first create a couple of test users on the system where OpenVPN server is running and configure their YubiKey IDs accordingly.

      Please use the following command for testing:

      # openvpn /etc/openvpn/client.conf

      OpenVPN client will first prompt for username, enter the username. After that OpenVPN client will prompt for password, enter user’s password immediately followed by an OTP generated by a YubiKey.

      If OpenVPN server is configured for supporting PAM authentication, it will verify user authentication details even at the startup of OpenVPN server demon, when it is started using “init.d” script or it is configured to start at boot time.

      To avoid prompting of username and password at the startup of OpenVPN server demon, we can start OpenVPN Server demon at command line as follows instead of starting it using “init.d” script:

      # /usr/sbin/openvpn --config /etc/openvpn/server.conf --daemon openvpn

      We can configure OpenVPN server demon to start at boot time by copying the above command in /etc/rc.local file.

    2) OpenVPN Configuration with FreeRADIUS support:

    In this type of configuration, the OpenVPN server will be using FreeRADIUS server for authenticating users. FreeRADIUS server will be verifying the authentication information received from OpenVPN server by verifying the username and user’s password against system password file “/etc/passwd” (or by other means supported by FreeRADIUS) and verifying the OTP (one time password) generated by a YubiKey with the Yubico’s OTP validation server.

    To configure OpenVPN with FreeRADIUS support, please follow the steps below:

      A) Follow all the steps mentioned in the section “OpenVPN Configuration without FreeRADIUS support” to configure OpenVPN server to support PAM authentication.

      B) Install and configure FreeRADIUS server for two factor authentication using following wiki link:

      http://code.google.com/p/yubico-pam/wik ... DIUSviaPAM

      C) Install and configure pam_radius_auth.so and copy it to /lib/security directory

      D) Create a file “/etc/pam.d/openvpn” (file name must be the one which is specified in “/etc/openvpn/server.conf “ along with “plugin” directive) and copy the following contents to the file:

      account required pam_radius_auth.so
      account required pam_radius_auth.so
      auth required pam_radius_auth.so no_warn try_first_pass

      E) Create a file “/etc/raddb/server” to configure FreeRADIUS server that is used by pam_radius_auth PAM module. The content for the file is as follows:

      <RADIUS server fully qualified domain name/ IP Address> <Shared Secrete >
      <RADIUS server fully qualified domain name/ IP Address> <Shared Secrete >
      .
      .
      .
      .


      e.g.:

      freeradius.example.com Admin456

      We can configure failover support for RADIUS server by creating additional RADIUS server entries per line of “/etc/raddb/server” file.

    2.1) Test Setup:

    Our test environment is as follows:

      i) Operating System: Fedora release 8 (Werewolf)
      ii) FreeRADIUS Server: FreeRADIUS Server Version 1.1.7
      iii) pam_radius: pam_radius_auth Version 1.3.17
      iv) Yubico PAM: pam_yubico Version 1.8
      v) "/etc/pam.d/openvpn" file:

      account required pam_radius_auth.so
      account required pam_radius_auth.so
      auth required pam_radius_auth.so no_warn try_first_pass

    2.2) Testing the configuration:

    We have tested the pam_yubico configuration on following Linux sever platforms:

      a) Fedora 8:

        i) Operating system: Fedora release 8 (Werewolf)
        ii) OpenVPN Server : OpenVPN Version 2.0.9
        iii) Yubico PAM: pam_yubico Version 1.8
        iv) FreeRADIUS Server: FreeRADIUS Server Version 1.1.7
        v) Pam_radius: pam_radius_auth Version 1.3.17


      b) Fedora 6:

        i) Operating system: Fedora Core release 6 (Zod)
        ii) OpenVPN Server: OpenVPN Version 2.0.9
        iii) Yubico PAM: pam_yubico version 1.8
        iv) FreeRADIUS Server: FreeRADIUS Server Version 1.1.7
        v) Pam_radius: pam_radius_auth Version 1.3.17

    To test the configuration, first create a couple of test users on the system where FreeRADIUS server is running and configure their YubiKey IDs accordingly.

    Please use the following command for testing:

    # openvpn /etc/openvpn/client.conf

    OpenVPN client will first prompt for username, enter the username. After that OpenVPN client will prompt for password, enter user’s password immediately followed by an OTP generated by a YubiKey.


Note: Please use OpenVPN server Version 2.0.9 (Latest Stable Version), as older and newer beta versions have problems with PAM libraries. RADIUS authentication will fail if it is configured with older or latest beta versions of OpenVPN Server.

Statistics: Posted by network-marvels — Wed Nov 26, 2008 4:47 pm

]]> 2008-11-07T18:26:56+01:00 2008-11-07T18:26:56+01:00 https://forum.yubico.com/viewtopic.php?t=81&p=788#p788 <![CDATA[Re: YubiKey as a strong authentication device for VPN clients]]> Neal wrote:

Has any progress been made on this project recently? I have managed to get a Netscreen SSG VPN authenticating using the RedHat image and I'm interested in getting local auth done with username + password + OTP for two factor authentication on the vpn (basically the BETA which was sceduled for release Q3 2008). I'm quite happy to help test anything if it would help.

If no progress has been made since the last release I'll probably start from scratch with a RedHat ES5 install and the lateset pam modules etc. If so any suggestions would be greatly appreciated as I'd expect to loose some hair trying to get it working. I'll be happy to report on any progress I make.

Thanks in advance,


There has been some deployments of Yubico PAM for SSH, which is similar to deploying it for VPN/FreeRadus.

search.php?author_id=280&sr=posts

Any effort or experience sharing of Yubikey for VPN would be highly appreciated!

:) Thanks

Statistics: Posted by paul — Fri Nov 07, 2008 6:26 pm

]]> 2008-11-07T12:49:39+01:00 2008-11-07T12:49:39+01:00 https://forum.yubico.com/viewtopic.php?t=81&p=787#p787 <![CDATA[Re: YubiKey as a strong authentication device for VPN clients]]>
If no progress has been made since the last release I'll probably start from scratch with a RedHat ES5 install and the lateset pam modules etc. If so any suggestions would be greatly appreciated as I'd expect to loose some hair trying to get it working. I'll be happy to report on any progress I make.

Thanks in advance,

Statistics: Posted by Neal — Fri Nov 07, 2008 12:49 pm

]]> 2008-07-25T18:16:30+01:00 2008-07-25T18:16:30+01:00 https://forum.yubico.com/viewtopic.php?t=81&p=487#p487 <![CDATA[Download the pre-configured VPN ready package for RedHat]]>
yubicoVPNYubicoAuthServerConfigGuide.pdf (103.28 KB)

http://www.megaupload.com/?d=90WAGP86

* This is an VMWare image readily deployable on a Redhat:

yubicoVPNYubico Redhat Enterprise 4.zip (372.35 MB)

http://www.megaupload.com/?d=HCQYA6Y0

PS. Found many don't use BitTorrent client, so we use this mega upload service

Statistics: Posted by paul — Fri Jul 25, 2008 6:16 pm

]]> 2008-07-23T17:20:19+01:00 2008-07-23T17:20:19+01:00 https://forum.yubico.com/viewtopic.php?t=81&p=466#p466 <![CDATA[Re: YubiKey as a strong authentication device for VPN clients]]>
http://code.google.com/p/yubikeyvpnserver/

If you like, we heartily welcome you to participate with a leading role in a Yubico community group depends on your interest, expertise and availability:

[1] Technical Lead Group:

Collect & review requirements, decide the technology foundation,
arbitrate voting on feature preferences, architecture design, code the
framework, code & bug & doc review, coordinate the QA, documentation
and other developers' efforts, plan the release/patch schedules.

As a technical lead, since there are customers demand paid consulting,
Yubico will list you as a qualified expert in Yubikey integration on
our web site and you make your consulting money from our customers
directly. Because Yubikey has a fast-growing grass-root momentum, the
early qualified consultants should do pretty well in years to come.

[2] Customer/User Group:

Write down requirements from your use case, discuss & prioritize
suggested features, and sponsor this community project with $3K USD.
In return you can cast a Sponsor Vote about Go or No-Go of
controversial features. We welcome individuals or your company to
sponsor this project that benefit everyone.

Let me know.

Thanks

Statistics: Posted by paul — Wed Jul 23, 2008 5:20 pm

]]> 2008-07-23T16:20:54+01:00 2008-07-23T16:20:54+01:00 https://forum.yubico.com/viewtopic.php?t=81&p=463#p463 <![CDATA[Re: YubiKey as a strong authentication device for VPN clients]]> Statistics: Posted by paul — Wed Jul 23, 2008 4:20 pm

]]> 2008-07-18T17:58:23+01:00 2008-07-18T17:58:23+01:00 https://forum.yubico.com/viewtopic.php?t=81&p=442#p442 <![CDATA[Re: YubiKey as a strong authentication device for VPN clients]]>
Perhaps arranging a torrent for the image would alleviate Yubico from paying for the bandwidth of distributing it.

Statistics: Posted by Sam — Fri Jul 18, 2008 5:58 pm

]]> 2008-07-08T23:31:03+01:00 2008-07-08T23:31:03+01:00 https://forum.yubico.com/viewtopic.php?t=81&p=422#p422 <![CDATA[Re: YubiKey as a strong authentication device for VPN clients]]>
More info:

vpn

Cheers

Statistics: Posted by paul — Tue Jul 08, 2008 11:31 pm

]]> 2008-06-13T23:59:11+01:00 2008-06-13T23:59:11+01:00 https://forum.yubico.com/viewtopic.php?t=81&p=267#p267 <![CDATA[Re: YubiKey as a strong authentication device for VPN clients]]>
http://code.google.com/p/yubico-pam/w/list

I suppose you are very familiar with FreeRadius configuration etc. We also have a pre-configured VPN Ready package with FreeRadius + Yubico PAM preconfigured in a VMWare image that you can evaluate it out of the box. If you need that, we can arrange to get you a CDROM of it since it is too big to download.

Statistics: Posted by paul — Fri Jun 13, 2008 11:59 pm

]]> 2008-06-10T07:40:21+01:00 2008-06-10T07:40:21+01:00 https://forum.yubico.com/viewtopic.php?t=81&p=215#p215 <![CDATA[Re: YubiKey as a strong authentication device for VPN clients]]>
Stay tuned.

Statistics: Posted by paul — Tue Jun 10, 2008 7:40 am

]]>