Yubico Forum ...visit our web-store at 2009-08-11T04:25:46+01:00 https://forum.yubico.com/feed.php?f=3&t=89 2009-08-11T04:25:46+01:00 2009-08-11T04:25:46+01:00 https://forum.yubico.com/viewtopic.php?t=89&p=1657#p1657 <![CDATA[Re: Yubikey and OpenVPN]]>
create a file called /etc/openvpn/cserver/yubikeys, or change the yubikeys= path to suite yourself,

in it place username:first 12 characters from yubikey token
for example,
jdoe:fkdjslikdj

this sort of pairs back a yubikey to a single user....

-----------------------------------

#!/bin/sh

#DEBUG
#username=$1
#password=$2
gratesuksess=0

CLIENT_ID=1
log=/var/log/openvpn/clients.log
yubikeys=/etc/openvpn/cserver/yubikeys

yubimatch=`cat $yubikeys | grep ${username}:`
yubimatchuser=`echo $yubimatch | awk -F":" '{ print $1 }'`


if [ "$username" = "$yubimatchuser" ]; then
yubimatchkey=`echo $yubimatch | awk -F":" '{ print $2 }'`
yubitrimmedkey=`echo $password | sed 's/\(.\{12\}\).*/\1/'`


if [ "$yubimatchkey" = "$yubitrimmedkey" ]; then
# echo DEBUG: $yubimatch - $yubimatchkey
/usr/bin/ykclient ${CLIENT_ID} "${password}"
status=$?
if [ "$status" = "$gratesuksess" ]; then
echo "`date` login success (yubikey match)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit $status
else
echo "`date` login failure (yubikey: $status)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit 1
fi
else
echo "`date` login failure (yubikey mismatch)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit 1
fi
else
echo "`date` login failure (username not found)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit 1
fi

Statistics: Posted by youngpro — Tue Aug 11, 2009 4:25 am

]]> 2008-08-04T17:01:08+01:00 2008-08-04T17:01:08+01:00 https://forum.yubico.com/viewtopic.php?t=89&p=519#p519 <![CDATA[Re: Yubikey and OpenVPN]]>
does anyone have a soln for a windows based (server and client) running OVPN?

Statistics: Posted by julian46 — Mon Aug 04, 2008 5:01 pm

]]> 2008-07-24T11:35:03+01:00 2008-07-24T11:35:03+01:00 https://forum.yubico.com/viewtopic.php?t=89&p=473#p473 <![CDATA[Re: Yubikey and OpenVPN]]> jkbauer24 wrote:

I'm using OpenVPN's "auth-user-pass-verify" executable call-out, which forces the OpenVPN client to prompt for a user/password which is verified on the OpenVPN server side. I use this callout in combination with the "ykclient" that comes with the libyubikey-client-1.1 package. (You could also use the other clients, as well.)


Cool! Thanks for working on this.

jkbauer24 wrote:

First, I had to modify the code for ykclient. As of version 1.1, the last three code lines in ykclient.c look like this:

Code:
ret = yubikey_client_simple_request (token, atoi (client_id), 0, NULL);

printf ("Verification output (%d): %s\n", ret, yubikey_client_strerror (ret));

return EXIT_FAILURE;

I recommend modifying the final line to this:

Code:
return ret;

...which appears to return a zero (0) value upon success, and non-zero for failure.


I've done something similar in ykclient version 1.2, could you test it? Then it should work without any modifications.

Thanks,
Simon

Statistics: Posted by Simon — Thu Jul 24, 2008 11:35 am

]]> 2008-07-23T03:19:29+01:00 2008-07-23T03:19:29+01:00 https://forum.yubico.com/viewtopic.php?t=89&p=459#p459 <![CDATA[Re: Yubikey and OpenVPN]]>
First, I had to modify the code for ykclient. As of version 1.1, the last three code lines in ykclient.c look like this:

Code:
ret = yubikey_client_simple_request (token, atoi (client_id), 0, NULL);

printf ("Verification output (%d): %s\n", ret, yubikey_client_strerror (ret));

return EXIT_FAILURE;

I recommend modifying the final line to this:

Code:
return ret;

...which appears to return a zero (0) value upon success, and non-zero for failure.

After compiling ykclient and putting it into /usr/local/bin, I wrote the following script called /usr/local/bin/openvpn-yubikey-verify:

Code:
#!/bin/sh

CLIENT_ID=###

/usr/local/bin/ykclient ${CLIENT_ID} "${password}"

exit $?

(Be sure to replace ### with your Yubico client ID.)

Next, I added this line to openvpn.conf on the server:

Code:
auth-user-pass-verify /usr/local/bin/openvpn-yubikey-verify via-env

And finally, I added this line to openvpn.conf on the client:

Code:
auth-user-pass

A restart of both the OpenVPN client and server is required.

This code will "get you going," but it's recommended that a more robust script be used to check for proper usernames (the above example ignores the ${username} variable entirely) and bounds-check the password (perhaps using a filter to consider only ModHex characters).

Be sure to use proper permissions to secure all of your files.

Statistics: Posted by jkbauer24 — Wed Jul 23, 2008 3:19 am

]]> 2008-06-10T12:37:16+01:00 2008-06-10T12:37:16+01:00 https://forum.yubico.com/viewtopic.php?t=89&p=227#p227 <![CDATA[Re: Yubikey and OpenVPN]]>

Statistics: Posted by julian46 — Tue Jun 10, 2008 12:37 pm

]]> 2008-06-10T07:38:34+01:00 2008-06-10T07:38:34+01:00 https://forum.yubico.com/viewtopic.php?t=89&p=214#p214 <![CDATA[Re: Yubikey and OpenVPN]]> Statistics: Posted by paul — Tue Jun 10, 2008 7:38 am

]]> 2008-06-09T22:18:39+01:00 2008-06-09T22:18:39+01:00 https://forum.yubico.com/viewtopic.php?t=89&p=209#p209 <![CDATA[Yubikey and OpenVPN]]>
thanks

Statistics: Posted by julian46 — Mon Jun 09, 2008 10:18 pm

]]>