Yubico Forum

has anyone figured this out yet - seems like a great fit

thanks

Sounds a very good idea to me! Do you think Yubico's PAM module is enough for the integration?

_________________
The YubiKey Server Guy

someone else mentioned start at the PAM module - so it looks like I have some digging to do

I'm using OpenVPN's "auth-user-pass-verify" executable call-out, which forces the OpenVPN client to prompt for a user/password which is verified on the OpenVPN server side. I use this callout in combination with the "ykclient" that comes with the libyubikey-client-1.1 package. (You could also use the other clients, as well.)

First, I had to modify the code for ykclient. As of version 1.1, the last three code lines in ykclient.c look like this:


I recommend modifying the final line to this:


...which appears to return a zero (0) value upon success, and non-zero for failure.

After compiling ykclient and putting it into /usr/local/bin, I wrote the following script called /usr/local/bin/openvpn-yubikey-verify:


(Be sure to replace ### with your Yubico client ID.)

Next, I added this line to openvpn.conf on the server:


And finally, I added this line to openvpn.conf on the client:


A restart of both the OpenVPN client and server is required.

This code will "get you going," but it's recommended that a more robust script be used to check for proper usernames (the above example ignores the ${username} variable entirely) and bounds-check the password (perhaps using a filter to consider only ModHex characters).

Be sure to use proper permissions to secure all of your files.

Cool! Thanks for working on this.



I've done something similar in ykclient version 1.2, could you test it? Then it should work without any modifications.

Thanks,
Simon

thanks for helping on this

does anyone have a soln for a windows based (server and client) running OVPN?

here is what i have been using...

create a file called /etc/openvpn/cserver/yubikeys, or change the yubikeys= path to suite yourself,

in it place username:first 12 characters from yubikey token
for example,
jdoe:fkdjslikdj

this sort of pairs back a yubikey to a single user....

-----------------------------------

#!/bin/sh

#DEBUG
#username=$1
#password=$2
gratesuksess=0

CLIENT_ID=1
log=/var/log/openvpn/clients.log
yubikeys=/etc/openvpn/cserver/yubikeys

yubimatch=`cat $yubikeys | grep ${username}:`
yubimatchuser=`echo $yubimatch | awk -F":" '{ print $1 }'`


if [ "$username" = "$yubimatchuser" ]; then
yubimatchkey=`echo $yubimatch | awk -F":" '{ print $2 }'`
yubitrimmedkey=`echo $password | sed 's/\(.\{12\}\).*/\1/'`


if [ "$yubimatchkey" = "$yubitrimmedkey" ]; then
# echo DEBUG: $yubimatch - $yubimatchkey
/usr/bin/ykclient ${CLIENT_ID} "${password}"
status=$?
if [ "$status" = "$gratesuksess" ]; then
echo "`date` login success (yubikey match)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit $status
else
echo "`date` login failure (yubikey: $status)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit 1
fi
else
echo "`date` login failure (yubikey mismatch)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit 1
fi
else
echo "`date` login failure (username not found)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit 1
fi