Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:29 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Yubikey and OpenVPN
PostPosted: Mon Jun 09, 2008 10:18 pm 
Offline

Joined: Mon Jun 09, 2008 8:37 pm
Posts: 9
has anyone figured this out yet - seems like a great fit

thanks


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: Yubikey and OpenVPN
PostPosted: Tue Jun 10, 2008 7:38 am 
Offline
User avatar

Joined: Wed May 07, 2008 5:25 pm
Posts: 110
Location: Sunnyvale, California
Sounds a very good idea to me! Do you think Yubico's PAM module is enough for the integration?

_________________
The YubiKey Server Guy


Top
 Profile  
Reply with quote  
 Post subject: Re: Yubikey and OpenVPN
PostPosted: Tue Jun 10, 2008 12:37 pm 
Offline

Joined: Mon Jun 09, 2008 8:37 pm
Posts: 9
someone else mentioned start at the PAM module - so it looks like I have some digging to do :)


Top
 Profile  
Reply with quote  
 Post subject: Re: Yubikey and OpenVPN
PostPosted: Wed Jul 23, 2008 3:19 am 
Offline

Joined: Wed Jul 23, 2008 2:53 am
Posts: 3
I'm using OpenVPN's "auth-user-pass-verify" executable call-out, which forces the OpenVPN client to prompt for a user/password which is verified on the OpenVPN server side. I use this callout in combination with the "ykclient" that comes with the libyubikey-client-1.1 package. (You could also use the other clients, as well.)

First, I had to modify the code for ykclient. As of version 1.1, the last three code lines in ykclient.c look like this:

Code:
ret = yubikey_client_simple_request (token, atoi (client_id), 0, NULL);

printf ("Verification output (%d): %s\n", ret, yubikey_client_strerror (ret));

return EXIT_FAILURE;

I recommend modifying the final line to this:

Code:
return ret;

...which appears to return a zero (0) value upon success, and non-zero for failure.

After compiling ykclient and putting it into /usr/local/bin, I wrote the following script called /usr/local/bin/openvpn-yubikey-verify:

Code:
#!/bin/sh

CLIENT_ID=###

/usr/local/bin/ykclient ${CLIENT_ID} "${password}"

exit $?

(Be sure to replace ### with your Yubico client ID.)

Next, I added this line to openvpn.conf on the server:

Code:
auth-user-pass-verify /usr/local/bin/openvpn-yubikey-verify via-env

And finally, I added this line to openvpn.conf on the client:

Code:
auth-user-pass

A restart of both the OpenVPN client and server is required.

This code will "get you going," but it's recommended that a more robust script be used to check for proper usernames (the above example ignores the ${username} variable entirely) and bounds-check the password (perhaps using a filter to consider only ModHex characters).

Be sure to use proper permissions to secure all of your files.


Top
 Profile  
Reply with quote  
 Post subject: Re: Yubikey and OpenVPN
PostPosted: Thu Jul 24, 2008 11:35 am 
Offline
Site Admin
Site Admin

Joined: Tue May 06, 2008 7:22 pm
Posts: 151
jkbauer24 wrote:
I'm using OpenVPN's "auth-user-pass-verify" executable call-out, which forces the OpenVPN client to prompt for a user/password which is verified on the OpenVPN server side. I use this callout in combination with the "ykclient" that comes with the libyubikey-client-1.1 package. (You could also use the other clients, as well.)


Cool! Thanks for working on this.

jkbauer24 wrote:
First, I had to modify the code for ykclient. As of version 1.1, the last three code lines in ykclient.c look like this:

Code:
ret = yubikey_client_simple_request (token, atoi (client_id), 0, NULL);

printf ("Verification output (%d): %s\n", ret, yubikey_client_strerror (ret));

return EXIT_FAILURE;

I recommend modifying the final line to this:

Code:
return ret;

...which appears to return a zero (0) value upon success, and non-zero for failure.


I've done something similar in ykclient version 1.2, could you test it? Then it should work without any modifications.

Thanks,
Simon


Top
 Profile  
Reply with quote  
 Post subject: Re: Yubikey and OpenVPN
PostPosted: Mon Aug 04, 2008 5:01 pm 
Offline

Joined: Mon Jun 09, 2008 8:37 pm
Posts: 9
thanks for helping on this

does anyone have a soln for a windows based (server and client) running OVPN?


Top
 Profile  
Reply with quote  
 Post subject: Re: Yubikey and OpenVPN
PostPosted: Tue Aug 11, 2009 4:25 am 
Offline

Joined: Tue Aug 11, 2009 4:22 am
Posts: 1
here is what i have been using...

create a file called /etc/openvpn/cserver/yubikeys, or change the yubikeys= path to suite yourself,

in it place username:first 12 characters from yubikey token
for example,
jdoe:fkdjslikdj

this sort of pairs back a yubikey to a single user....

-----------------------------------

#!/bin/sh

#DEBUG
#username=$1
#password=$2
gratesuksess=0

CLIENT_ID=1
log=/var/log/openvpn/clients.log
yubikeys=/etc/openvpn/cserver/yubikeys

yubimatch=`cat $yubikeys | grep ${username}:`
yubimatchuser=`echo $yubimatch | awk -F":" '{ print $1 }'`


if [ "$username" = "$yubimatchuser" ]; then
yubimatchkey=`echo $yubimatch | awk -F":" '{ print $2 }'`
yubitrimmedkey=`echo $password | sed 's/\(.\{12\}\).*/\1/'`


if [ "$yubimatchkey" = "$yubitrimmedkey" ]; then
# echo DEBUG: $yubimatch - $yubimatchkey
/usr/bin/ykclient ${CLIENT_ID} "${password}"
status=$?
if [ "$status" = "$gratesuksess" ]; then
echo "`date` login success (yubikey match)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit $status
else
echo "`date` login failure (yubikey: $status)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit 1
fi
else
echo "`date` login failure (yubikey mismatch)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit 1
fi
else
echo "`date` login failure (username not found)/ yubikey: $yubitrimmedkey - username: ${username} - token: $password" >>$log
exit 1
fi


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group