Yubico Forum
https://forum.yubico.com/

OpenVPN PAM config file for Debian
https://forum.yubico.com/viewtopic.php?f=5&t=1824
Page 1 of 1

Author:  besson3c [ Wed Apr 08, 2015 7:55 pm ]
Post subject:  OpenVPN PAM config file for Debian

Hello,

I'm having problems getting PAM password checks working as my second factor for my OpenVPN auth. The instructions here (for without FreeRadius) include a PAM config file for Redhat based systems:

https://developers.yubico.com/yubico-pa ... a_PAM.html

Here is that config:

Quote:
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth


When I comment out everything but the first line, my VPN connections work fine, but of course authentication works with any password I provide it that precedes my Yubikey OTP. On Debian based systems there isn't a system-auth, but it isn't working with "common-auth" in place of "system-auth" either.

Any feedback on a working Debian-compatible configuration?

Author:  besson3c [ Thu Apr 09, 2015 3:15 pm ]
Post subject:  Re: OpenVPN PAM config file for Debian

Here is my current attempt (which is authenticating my Yubikey but not my system password):

Quote:
auth required pam_yubico.so authfile=/path/to/yubikeys id=22010 debug
auth include common-auth
account required pam_nologin.so
account include common-account
password include common-password
session include common-session

Author:  besson3c [ Thu Apr 09, 2015 3:48 pm ]
Post subject:  Re: OpenVPN PAM config file for Debian

Figured it out, this works for me:

auth required pam_yubico.so authfile=/path/to/yubikeys id=22010 debug
auth required pam_unix.so try_first_pass debug shadow nodelay
account required pam_unix.so

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/