Yubico Forum :: View topic - Yubikey and OpenVPN

I'm using OpenVPN's "auth-user-pass-verify" executable call-out, which forces the OpenVPN client to prompt for a user/password which is verified on the OpenVPN server side. I use this callout in combination with the "ykclient" that comes with the libyubikey-client-1.1 package. (You could also use the other clients, as well.)

First, I had to modify the code for ykclient. As of version 1.1, the last three code lines in ykclient.c look like this:

Code:

ret = yubikey_client_simple_request (token, atoi (client_id), 0, NULL);

printf ("Verification output (%d): %s\n", ret, yubikey_client_strerror (ret));

return EXIT_FAILURE;

I recommend modifying the final line to this:

Code:

return ret;

...which appears to return a zero (0) value upon success, and non-zero for failure.

Author:	julian46 [ Mon Jun 09, 2008 10:18 pm ]
Post subject:	Yubikey and OpenVPN
has anyone figured this out yet - seems like a great fit thanks

Author:	paul [ Tue Jun 10, 2008 7:38 am ]
Post subject:	Re: Yubikey and OpenVPN
Sounds a very good idea to me! Do you think Yubico's PAM module is enough for the integration?

Author:	julian46 [ Tue Jun 10, 2008 12:37 pm ]
Post subject:	Re: Yubikey and OpenVPN
someone else mentioned start at the PAM module - so it looks like I have some digging to do

Author:	jkbauer24 [ Wed Jul 23, 2008 3:19 am ]
Post subject:	Re: Yubikey and OpenVPN
I'm using OpenVPN's "auth-user-pass-verify" executable call-out, which forces the OpenVPN client to prompt for a user/password which is verified on the OpenVPN server side. I use this callout in combination with the "ykclient" that comes with the libyubikey-client-1.1 package. (You could also use the other clients, as well.) First, I had to modify the code for ykclient. As of version 1.1, the last three code lines in ykclient.c look like this: Code: ret = yubikey_client_simple_request (token, atoi (client_id), 0, NULL); printf ("Verification output (%d): %s\n", ret, yubikey_client_strerror (ret)); return EXIT_FAILURE; I recommend modifying the final line to this: Code: return ret; ...which appears to return a zero (0) value upon success, and non-zero for failure. After compiling ykclient and putting it into /usr/local/bin, I wrote the following script called /usr/local/bin/openvpn-yubikey-verify: Code: #!/bin/sh CLIENT_ID=### /usr/local/bin/ykclient ${CLIENT_ID} "${password}" exit $? (Be sure to replace ### with your Yubico client ID.) Next, I added this line to openvpn.conf on the server: Code: auth-user-pass-verify /usr/local/bin/openvpn-yubikey-verify via-env And finally, I added this line to openvpn.conf on the client: Code: auth-user-pass A restart of both the OpenVPN client and server is required. This code will "get you going," but it's recommended that a more robust script be used to check for proper usernames (the above example ignores the ${username} variable entirely) and bounds-check the password (perhaps using a filter to consider only ModHex characters). Be sure to use proper permissions to secure all of your files.

Author:	Simon [ Thu Jul 24, 2008 11:35 am ]
Post subject:	Re: Yubikey and OpenVPN
jkbauer24 wrote: I'm using OpenVPN's "auth-user-pass-verify" executable call-out, which forces the OpenVPN client to prompt for a user/password which is verified on the OpenVPN server side. I use this callout in combination with the "ykclient" that comes with the libyubikey-client-1.1 package. (You could also use the other clients, as well.) Cool! Thanks for working on this. jkbauer24 wrote: First, I had to modify the code for ykclient. As of version 1.1, the last three code lines in ykclient.c look like this: Code: ret = yubikey_client_simple_request (token, atoi (client_id), 0, NULL); printf ("Verification output (%d): %s\n", ret, yubikey_client_strerror (ret)); return EXIT_FAILURE; I recommend modifying the final line to this: Code: return ret; ...which appears to return a zero (0) value upon success, and non-zero for failure. I've done something similar in ykclient version 1.2, could you test it? Then it should work without any modifications. Thanks, Simon

Yubico Forum https://forum.yubico.com/

Yubikey and OpenVPN https://forum.yubico.com/viewtopic.php?f=3&t=89	Page 1 of 1

Author:	julian46 [ Mon Aug 04, 2008 5:01 pm ]
Post subject:	Re: Yubikey and OpenVPN
thanks for helping on this does anyone have a soln for a windows based (server and client) running OVPN?

Author:	youngpro [ Tue Aug 11, 2009 4:25 am ]
Post subject:	Re: Yubikey and OpenVPN
here is what i have been using... create a file called /etc/openvpn/cserver/yubikeys, or change the yubikeys= path to suite yourself, in it place username:first 12 characters from yubikey token for example, jdoe:fkdjslikdj this sort of pairs back a yubikey to a single user.... ----------------------------------- #!/bin/sh #DEBUG #username=$1 #password=$2 gratesuksess=0 CLIENT_ID=1 log=/var/log/openvpn/clients.log yubikeys=/etc/openvpn/cserver/yubikeys yubimatch=`cat $yubikeys \| grep ${username}:` yubimatchuser=`echo $yubimatch \| awk -F":" '{ print $1 }'` if [ "$username" = "$yubimatchuser" ]; then yubimatchkey=`echo $yubimatch \| awk -F":" '{ print $2 }'` yubitrimmedkey=`echo $password \| sed 's/\(.\{12\}\).*/\1/'` if [ "$yubimatchkey" = "$yubitrimmedkey" ]; then # echo DEBUG: $yubimatch - $yubimatchkey /usr/bin/ykclient ${CLIENT_ID} "${password}" status=$? if [ "$status" = "$gratesuksess" ]; then echo "`date` login success (yubikey match)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log exit $status else echo "`date` login failure (yubikey: $status)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log exit 1 fi else echo "`date` login failure (yubikey mismatch)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log exit 1 fi else echo "`date` login failure (username not found)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log exit 1 fi

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/