Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 2:28 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Yubikey openVPN LDAP
PostPosted: Tue Sep 06, 2016 7:56 am 
Offline

Joined: Tue Sep 06, 2016 7:46 am
Posts: 3
Hello,

try according to
https://developers.yubico.com/yubico-pam/
to set-up 2-factor-authentifications on FreeBSD with: openVPN with LDAP-Authentification and Yubikey.

But get error message: PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1.
---
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 TLS: Initial packet from [AF_INET]172.23.3.8:35857, sid=159c136d 2cb1a27d
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 PLUGIN_CALL: POST openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: openvpn-plugin-auth-pam.so
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Mon Sep 5 14:47:05 2016 172.23.3.8:35857 Peer Connection Initiated with [AF_INET]172.23.3.8:35857
Mon Sep 5 14:47:07 2016 172.23.3.8:35857 PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 5 14:47:07 2016 172.23.3.8:35857 Delayed exit in 5 seconds
Mon Sep 5 14:47:07 2016 172.23.3.8:35857 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Mon Sep 5 14:47:07 2016 172.23.3.8:35857 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.23.3.8:35857 [0]
Mon Sep 5 14:47:08 2016 172.23.3.8:35857 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.23.3.8:35857 [0]


Mon Sep 5 14:47:09 2016 172.23.3.8:35857 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.23.3.8:35857 [0]
Mon Sep 5 14:47:11 2016 172.23.3.8:35857 TLS Error: local/remote TLS keys are out of sync: [AF_INET]172.23.3.8:35857 [0]
Mon Sep 5 14:47:12 2016 172.23.3.8:35857 SIGTERM[soft,delayed-exit] received, client-instance exiting
---
openvpn.conf on Server:
plugin openvpn-plugin-auth-pam.so openvpn

If it changed to
plugin openvpn-plugin-auth-pam.so system-auth

then no error, but of it the authentification use local System user, which is not what I want: authetification against ldap server (1. factor) and Yubikey (2. factor).

Kind Regards
VedPac


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

 Post subject: Re: Yubikey openVPN LDAP
PostPosted: Tue Sep 06, 2016 2:39 pm 
Offline
User avatar

Joined: Fri Aug 26, 2016 5:44 pm
Posts: 25
Location: Rochester, New York, USA
Based on what you've written, it's unclear how openVPN fits into your planned setup. There is a separate PAM plugin for LDAP authentication that you don't seem to mention here. There's still another plugin for using the yubikey as the second factor (and another if you want to use u2f specifically).

Could you clarify your intentions a bit more so I know where to troubleshoot?

_________________
Keybase User: sporkwitch
PGP Public Key: B54A 454A 2B29 9D83 0201 CB1B C136 07BD 83A9 E927


Top
 Profile  
Reply with quote  
 Post subject: Re: Yubikey openVPN LDAP
PostPosted: Tue Sep 06, 2016 2:56 pm 
Offline

Joined: Tue Sep 06, 2016 7:46 am
Posts: 3
Hi Spork,

thanks for th reply.

We want to use two factor authentication for OpenVPN using YubiKey.
That means openVPN will prompt a login (username/password), the user will authenticate against our LDAP-Server.
If it succeeded then authenticate again using Yubikey.

Here is the configs:

client.ovpn(client)
auth-user-pass

openvpn.conf (server)
plugin openvpn-plugin-auth-pam.so openvpn

/usr/local/etc/pam.d/openvpn:
auth required pam_yubico.so ldap_uri=ldap://ldap-srv debug id=[Your API Client ID] yubi_attr=pager
ldapdn=dc=ad,dc=next-audience,dc=net
ldap_filter=(&(sAMAccountName=%u)(memberOf=CN=mygroup,OU=DefaultUser,DC=adivser,DC=net))
ldap_bind_user=bind_user ldap_bind_password=bind_password try_first_pass
account required pam_yubico.so

Regards
VedPac


Top
 Profile  
Reply with quote  
 Post subject: Re: Yubikey openVPN LDAP
PostPosted: Tue Sep 06, 2016 3:00 pm 
Offline

Joined: Tue Sep 06, 2016 7:46 am
Posts: 3
This also won't work (authenticate against ldap-server and yubikey), same error:
auth required pam_yubico.so ldap_uri=ldap://xxxxx id=xxx authfile=/usr/local/etc/openvpn/yubikey_mappings debug
ldapdn=dc=ad,dc=next-audience,dc=net
ldap_filter=(&(sAMAccountName=%u)(memberOf=CN=mygroup,OU=DefaultUser,DC=adivser,DC=net))
ldap_bind_user=bind_user ldap_bind_password=bind_password try_first_pass
account required pam_yubico.so


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group