Hi,
I'm trying to get working Yubico PAM module to provide two-factor legacy Username + password + YubiKey OTP authentication for OpenVPN
I followed the instructions of this page :
http://code.google.com/p/yubico-pam/wik ... nVPNviaPAM Openvpn server is a CentOS 5 64bits
Openvpn client is a Fedora FC15. Another OpenVPN client is using Windows 7 64bits.
When I try to use the VPN client (on both clients windows & linux), it failed while trying to authenticate. Here is the output of openvpn.log
Code:
Wed Sep 7 16:45:17 2011 us=525294 MULTI: multi_create_instance called
Wed Sep 7 16:45:17 2011 us=525381 192.168.1.13:33660 Re-using SSL/TLS context
Wed Sep 7 16:45:17 2011 us=525457 192.168.1.13:33660 LZO compression initialized
Wed Sep 7 16:45:17 2011 us=525514 192.168.1.13:33660 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Sep 7 16:45:17 2011 us=525524 192.168.1.13:33660 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Sep 7 16:45:17 2011 us=525549 192.168.1.13:33660 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Sep 7 16:45:17 2011 us=525556 192.168.1.13:33660 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Sep 7 16:45:17 2011 us=525568 192.168.1.13:33660 Local Options hash (VER=V4): '530fdded'
Wed Sep 7 16:45:17 2011 us=525579 192.168.1.13:33660 Expected Remote Options hash (VER=V4): '41690919'
Wed Sep 7 16:45:17 2011 us=525601 192.168.1.13:33660 UDPv4 READ [14] from 192.168.1.13:33660: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Sep 7 16:45:17 2011 us=525612 192.168.1.13:33660 TLS: Initial packet from 192.168.1.13:33660, sid=fc4c103b 050db54c
Wed Sep 7 16:45:17 2011 us=525631 192.168.1.13:33660 UDPv4 WRITE [26] to 192.168.1.13:33660: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Wed Sep 7 16:45:17 2011 us=525995 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 0 ]
Wed Sep 7 16:45:17 2011 us=526031 192.168.1.13:33660 UDPv4 READ [114] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Wed Sep 7 16:45:17 2011 us=526058 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 1 ]
Wed Sep 7 16:45:17 2011 us=526093 192.168.1.13:33660 UDPv4 READ [27] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=13
Wed Sep 7 16:45:17 2011 us=528709 192.168.1.13:33660 UDPv4 WRITE [126] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ 2 ] pid=1 DATA len=100
Wed Sep 7 16:45:17 2011 us=528741 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=100
Wed Sep 7 16:45:17 2011 us=528769 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=100
Wed Sep 7 16:45:17 2011 us=528797 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=100
Wed Sep 7 16:45:17 2011 us=529208 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 1 ]
Wed Sep 7 16:45:17 2011 us=529257 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=5 DATA len=100
Wed Sep 7 16:45:17 2011 us=529287 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 2 ]
Wed Sep 7 16:45:17 2011 us=529307 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=100
Wed Sep 7 16:45:17 2011 us=529333 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 3 ]
Wed Sep 7 16:45:17 2011 us=529353 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=7 DATA len=100
Wed Sep 7 16:45:17 2011 us=529379 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 4 ]
Wed Sep 7 16:45:17 2011 us=529399 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=8 DATA len=100
Wed Sep 7 16:45:17 2011 us=529735 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 5 ]
Wed Sep 7 16:45:17 2011 us=529766 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=9 DATA len=100
Wed Sep 7 16:45:17 2011 us=529803 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 6 ]
Wed Sep 7 16:45:17 2011 us=529823 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=10 DATA len=100
Wed Sep 7 16:45:17 2011 us=529849 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 7 ]
Wed Sep 7 16:45:17 2011 us=529877 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=11 DATA len=100
Wed Sep 7 16:45:17 2011 us=529904 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 8 ]
Wed Sep 7 16:45:17 2011 us=529923 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=12 DATA len=100
Wed Sep 7 16:45:17 2011 us=530302 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 9 ]
Wed Sep 7 16:45:17 2011 us=530341 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=13 DATA len=100
Wed Sep 7 16:45:17 2011 us=530370 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 10 ]
Wed Sep 7 16:45:17 2011 us=530389 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=14 DATA len=100
Wed Sep 7 16:45:17 2011 us=530416 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 11 ]
Wed Sep 7 16:45:17 2011 us=530466 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=15 DATA len=100
Wed Sep 7 16:45:17 2011 us=530494 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 12 ]
Wed Sep 7 16:45:17 2011 us=530513 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=16 DATA len=100
Wed Sep 7 16:45:17 2011 us=530733 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 13 ]
Wed Sep 7 16:45:17 2011 us=530791 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=17 DATA len=100
Wed Sep 7 16:45:17 2011 us=530828 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 14 ]
Wed Sep 7 16:45:17 2011 us=530853 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=18 DATA len=100
Wed Sep 7 16:45:17 2011 us=530888 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 15 ]
Wed Sep 7 16:45:17 2011 us=530913 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=19 DATA len=100
Wed Sep 7 16:45:17 2011 us=530946 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 16 ]
Wed Sep 7 16:45:17 2011 us=530965 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=20 DATA len=100
Wed Sep 7 16:45:17 2011 us=531299 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 17 ]
Wed Sep 7 16:45:17 2011 us=531378 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=21 DATA len=100
Wed Sep 7 16:45:17 2011 us=531405 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 18 ]
Wed Sep 7 16:45:17 2011 us=531424 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=22 DATA len=100
Wed Sep 7 16:45:17 2011 us=531478 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 19 ]
Wed Sep 7 16:45:17 2011 us=531497 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Wed Sep 7 16:45:17 2011 us=531557 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 20 ]
Wed Sep 7 16:45:17 2011 us=531578 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Wed Sep 7 16:45:17 2011 us=532311 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 21 ]
Wed Sep 7 16:45:17 2011 us=532333 192.168.1.13:33660 UDPv4 WRITE [91] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=25 DATA len=77
Wed Sep 7 16:45:17 2011 us=532360 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 22 ]
Wed Sep 7 16:45:17 2011 us=532380 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 23 ]
Wed Sep 7 16:45:17 2011 us=532398 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 24 ]
Wed Sep 7 16:45:17 2011 us=536955 192.168.1.13:33660 UDPv4 READ [126] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ 25 ] pid=3 DATA len=100
Wed Sep 7 16:45:17 2011 us=536997 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 3 ]
Wed Sep 7 16:45:17 2011 us=537035 192.168.1.13:33660 UDPv4 READ [112] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=98
Wed Sep 7 16:45:17 2011 us=539624 192.168.1.13:33660 UDPv4 WRITE [85] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ 4 ] pid=26 DATA len=59
Wed Sep 7 16:45:17 2011 us=540276 192.168.1.13:33660 UDPv4 READ [126] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ 26 ] pid=5 DATA len=100
Wed Sep 7 16:45:17 2011 us=540318 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 5 ]
Wed Sep 7 16:45:17 2011 us=540355 192.168.1.13:33660 UDPv4 READ [114] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=100
Wed Sep 7 16:45:17 2011 us=540377 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 6 ]
Wed Sep 7 16:45:17 2011 us=540412 192.168.1.13:33660 UDPv4 READ [114] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=7 DATA len=100
Wed Sep 7 16:45:17 2011 us=540428 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 7 ]
Wed Sep 7 16:45:17 2011 us=540452 192.168.1.13:33660 UDPv4 READ [92] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=8 DATA len=78
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: gboi
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: user 'gboi' failed to authenticate: Module is unknown
Wed Sep 7 16:45:19 2011 us=468594 192.168.1.13:33660 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Sep 7 16:45:19 2011 us=468615 192.168.1.13:33660 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so
Wed Sep 7 16:45:19 2011 us=468641 192.168.1.13:33660 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Sep 7 16:45:19 2011 us=468762 192.168.1.13:33660 UDPv4 WRITE [126] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ 8 ] pid=27 DATA len=100
Wed Sep 7 16:45:19 2011 us=468801 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=28 DATA len=100
Wed Sep 7 16:45:19 2011 us=468825 192.168.1.13:33660 UDPv4 WRITE [80] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=29 DATA len=66
Wed Sep 7 16:45:19 2011 us=469245 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 27 ]
Wed Sep 7 16:45:19 2011 us=469274 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 28 ]
Wed Sep 7 16:45:19 2011 us=469462 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 29 ]
Wed Sep 7 16:45:19 2011 us=469478 192.168.1.13:33660 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Wed Sep 7 16:45:19 2011 us=469497 192.168.1.13:33660 [] Peer Connection Initiated with 192.168.1.13:33660
Wed Sep 7 16:45:21 2011 us=649895 192.168.1.13:33660 UDPv4 READ [104] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=9 DATA len=90
Wed Sep 7 16:45:21 2011 us=649969 192.168.1.13:33660 PUSH: Received control message: 'PUSH_REQUEST'
Wed Sep 7 16:45:21 2011 us=649986 192.168.1.13:33660 Delayed exit in 5 seconds
Wed Sep 7 16:45:21 2011 us=650015 192.168.1.13:33660 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Wed Sep 7 16:45:21 2011 us=650029 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 9 ]
Wed Sep 7 16:45:21 2011 us=650067 192.168.1.13:33660 UDPv4 WRITE [104] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=30 DATA len=90
Wed Sep 7 16:45:23 2011 us=721918 192.168.1.13:33660 UDPv4 WRITE [104] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=30 DATA len=90
Wed Sep 7 16:45:23 2011 us=722260 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Sep 7 16:45:26 2011 us=795152 192.168.1.13:33660 SIGTERM[soft,delayed-exit] received, client-instance exiting
And here is the content of /etc/pam.d/openvpn :
Code:
auth required pam_yubico.so id=16 debug authfile=/etc/etc/yubikey_passwd
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
And here is the content of /etc/openvpn/openvpn.conf
Code:
port 1194
proto udp
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/sv-inf-int-vpn-01.crt
key /etc/openvpn/keys/sv-inf-int-vpn-01.key
dh /etc/openvpn/keys/dh1024.pem
server 10.8.42.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
max-clients 100
user root
group root
# of the privilege downgrade.
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 6
# Ne requiert pas de certificat pour les clients
client-cert-not-required
# Seuls les users locaux du serveur peuvent se connecter au vpn (login)
# plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so login
# Enable PAM modules openvpn (yubikey)
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"
Could you please tell me how to get it work ?
Regards,
Login
FAQ
Search
