Yubico Forum
https://forum.yubico.com/

Help on integration Yubico_pam + openvpn
https://forum.yubico.com/viewtopic.php?f=3&t=706
Page 1 of 1

Author:  Rougemarteau [ Wed Sep 07, 2011 3:54 pm ]
Post subject:  Help on integration Yubico_pam + openvpn

Hi,

I'm trying to get working Yubico PAM module to provide two-factor legacy Username + password + YubiKey OTP authentication for OpenVPN
I followed the instructions of this page : http://code.google.com/p/yubico-pam/wik ... nVPNviaPAM

Openvpn server is a CentOS 5 64bits
Openvpn client is a Fedora FC15. Another OpenVPN client is using Windows 7 64bits.

When I try to use the VPN client (on both clients windows & linux), it failed while trying to authenticate. Here is the output of openvpn.log

Code:
Wed Sep  7 16:45:17 2011 us=525294 MULTI: multi_create_instance called
Wed Sep  7 16:45:17 2011 us=525381 192.168.1.13:33660 Re-using SSL/TLS context
Wed Sep  7 16:45:17 2011 us=525457 192.168.1.13:33660 LZO compression initialized
Wed Sep  7 16:45:17 2011 us=525514 192.168.1.13:33660 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Sep  7 16:45:17 2011 us=525524 192.168.1.13:33660 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Sep  7 16:45:17 2011 us=525549 192.168.1.13:33660 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Wed Sep  7 16:45:17 2011 us=525556 192.168.1.13:33660 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Wed Sep  7 16:45:17 2011 us=525568 192.168.1.13:33660 Local Options hash (VER=V4): '530fdded'
Wed Sep  7 16:45:17 2011 us=525579 192.168.1.13:33660 Expected Remote Options hash (VER=V4): '41690919'
Wed Sep  7 16:45:17 2011 us=525601 192.168.1.13:33660 UDPv4 READ [14] from 192.168.1.13:33660: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Sep  7 16:45:17 2011 us=525612 192.168.1.13:33660 TLS: Initial packet from 192.168.1.13:33660, sid=fc4c103b 050db54c
Wed Sep  7 16:45:17 2011 us=525631 192.168.1.13:33660 UDPv4 WRITE [26] to 192.168.1.13:33660: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Wed Sep  7 16:45:17 2011 us=525995 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 0 ]
Wed Sep  7 16:45:17 2011 us=526031 192.168.1.13:33660 UDPv4 READ [114] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Wed Sep  7 16:45:17 2011 us=526058 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 1 ]
Wed Sep  7 16:45:17 2011 us=526093 192.168.1.13:33660 UDPv4 READ [27] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=13
Wed Sep  7 16:45:17 2011 us=528709 192.168.1.13:33660 UDPv4 WRITE [126] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ 2 ] pid=1 DATA len=100
Wed Sep  7 16:45:17 2011 us=528741 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=100
Wed Sep  7 16:45:17 2011 us=528769 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=100
Wed Sep  7 16:45:17 2011 us=528797 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=100
Wed Sep  7 16:45:17 2011 us=529208 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 1 ]
Wed Sep  7 16:45:17 2011 us=529257 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=5 DATA len=100
Wed Sep  7 16:45:17 2011 us=529287 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 2 ]
Wed Sep  7 16:45:17 2011 us=529307 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=100
Wed Sep  7 16:45:17 2011 us=529333 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 3 ]
Wed Sep  7 16:45:17 2011 us=529353 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=7 DATA len=100
Wed Sep  7 16:45:17 2011 us=529379 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 4 ]
Wed Sep  7 16:45:17 2011 us=529399 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=8 DATA len=100
Wed Sep  7 16:45:17 2011 us=529735 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 5 ]
Wed Sep  7 16:45:17 2011 us=529766 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=9 DATA len=100
Wed Sep  7 16:45:17 2011 us=529803 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 6 ]
Wed Sep  7 16:45:17 2011 us=529823 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=10 DATA len=100
Wed Sep  7 16:45:17 2011 us=529849 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 7 ]
Wed Sep  7 16:45:17 2011 us=529877 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=11 DATA len=100
Wed Sep  7 16:45:17 2011 us=529904 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 8 ]
Wed Sep  7 16:45:17 2011 us=529923 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=12 DATA len=100
Wed Sep  7 16:45:17 2011 us=530302 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 9 ]
Wed Sep  7 16:45:17 2011 us=530341 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=13 DATA len=100
Wed Sep  7 16:45:17 2011 us=530370 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 10 ]
Wed Sep  7 16:45:17 2011 us=530389 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=14 DATA len=100
Wed Sep  7 16:45:17 2011 us=530416 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 11 ]
Wed Sep  7 16:45:17 2011 us=530466 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=15 DATA len=100
Wed Sep  7 16:45:17 2011 us=530494 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 12 ]
Wed Sep  7 16:45:17 2011 us=530513 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=16 DATA len=100
Wed Sep  7 16:45:17 2011 us=530733 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 13 ]
Wed Sep  7 16:45:17 2011 us=530791 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=17 DATA len=100
Wed Sep  7 16:45:17 2011 us=530828 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 14 ]
Wed Sep  7 16:45:17 2011 us=530853 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=18 DATA len=100
Wed Sep  7 16:45:17 2011 us=530888 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 15 ]
Wed Sep  7 16:45:17 2011 us=530913 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=19 DATA len=100
Wed Sep  7 16:45:17 2011 us=530946 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 16 ]
Wed Sep  7 16:45:17 2011 us=530965 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=20 DATA len=100
Wed Sep  7 16:45:17 2011 us=531299 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 17 ]
Wed Sep  7 16:45:17 2011 us=531378 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=21 DATA len=100
Wed Sep  7 16:45:17 2011 us=531405 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 18 ]
Wed Sep  7 16:45:17 2011 us=531424 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=22 DATA len=100
Wed Sep  7 16:45:17 2011 us=531478 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 19 ]
Wed Sep  7 16:45:17 2011 us=531497 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Wed Sep  7 16:45:17 2011 us=531557 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 20 ]
Wed Sep  7 16:45:17 2011 us=531578 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Wed Sep  7 16:45:17 2011 us=532311 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 21 ]
Wed Sep  7 16:45:17 2011 us=532333 192.168.1.13:33660 UDPv4 WRITE [91] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=25 DATA len=77
Wed Sep  7 16:45:17 2011 us=532360 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 22 ]
Wed Sep  7 16:45:17 2011 us=532380 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 23 ]
Wed Sep  7 16:45:17 2011 us=532398 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 24 ]
Wed Sep  7 16:45:17 2011 us=536955 192.168.1.13:33660 UDPv4 READ [126] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ 25 ] pid=3 DATA len=100
Wed Sep  7 16:45:17 2011 us=536997 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 3 ]
Wed Sep  7 16:45:17 2011 us=537035 192.168.1.13:33660 UDPv4 READ [112] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=98
Wed Sep  7 16:45:17 2011 us=539624 192.168.1.13:33660 UDPv4 WRITE [85] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ 4 ] pid=26 DATA len=59
Wed Sep  7 16:45:17 2011 us=540276 192.168.1.13:33660 UDPv4 READ [126] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ 26 ] pid=5 DATA len=100
Wed Sep  7 16:45:17 2011 us=540318 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 5 ]
Wed Sep  7 16:45:17 2011 us=540355 192.168.1.13:33660 UDPv4 READ [114] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=6 DATA len=100
Wed Sep  7 16:45:17 2011 us=540377 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 6 ]
Wed Sep  7 16:45:17 2011 us=540412 192.168.1.13:33660 UDPv4 READ [114] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=7 DATA len=100
Wed Sep  7 16:45:17 2011 us=540428 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 7 ]
Wed Sep  7 16:45:17 2011 us=540452 192.168.1.13:33660 UDPv4 READ [92] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=8 DATA len=78
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: gboi
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: user 'gboi' failed to authenticate: Module is unknown
Wed Sep  7 16:45:19 2011 us=468594 192.168.1.13:33660 PLUGIN_CALL: POST /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Sep  7 16:45:19 2011 us=468615 192.168.1.13:33660 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so
Wed Sep  7 16:45:19 2011 us=468641 192.168.1.13:33660 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Sep  7 16:45:19 2011 us=468762 192.168.1.13:33660 UDPv4 WRITE [126] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ 8 ] pid=27 DATA len=100
Wed Sep  7 16:45:19 2011 us=468801 192.168.1.13:33660 UDPv4 WRITE [114] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=28 DATA len=100
Wed Sep  7 16:45:19 2011 us=468825 192.168.1.13:33660 UDPv4 WRITE [80] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=29 DATA len=66
Wed Sep  7 16:45:19 2011 us=469245 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 27 ]
Wed Sep  7 16:45:19 2011 us=469274 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 28 ]
Wed Sep  7 16:45:19 2011 us=469462 192.168.1.13:33660 UDPv4 READ [22] from 192.168.1.13:33660: P_ACK_V1 kid=0 [ 29 ]
Wed Sep  7 16:45:19 2011 us=469478 192.168.1.13:33660 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Wed Sep  7 16:45:19 2011 us=469497 192.168.1.13:33660 [] Peer Connection Initiated with 192.168.1.13:33660
Wed Sep  7 16:45:21 2011 us=649895 192.168.1.13:33660 UDPv4 READ [104] from 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=9 DATA len=90
Wed Sep  7 16:45:21 2011 us=649969 192.168.1.13:33660 PUSH: Received control message: 'PUSH_REQUEST'
Wed Sep  7 16:45:21 2011 us=649986 192.168.1.13:33660 Delayed exit in 5 seconds
Wed Sep  7 16:45:21 2011 us=650015 192.168.1.13:33660 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Wed Sep  7 16:45:21 2011 us=650029 192.168.1.13:33660 UDPv4 WRITE [22] to 192.168.1.13:33660: P_ACK_V1 kid=0 [ 9 ]
Wed Sep  7 16:45:21 2011 us=650067 192.168.1.13:33660 UDPv4 WRITE [104] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=30 DATA len=90
Wed Sep  7 16:45:23 2011 us=721918 192.168.1.13:33660 UDPv4 WRITE [104] to 192.168.1.13:33660: P_CONTROL_V1 kid=0 [ ] pid=30 DATA len=90
Wed Sep  7 16:45:23 2011 us=722260 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Sep  7 16:45:26 2011 us=795152 192.168.1.13:33660 SIGTERM[soft,delayed-exit] received, client-instance exiting




And here is the content of /etc/pam.d/openvpn :
Code:
auth required pam_yubico.so id=16 debug authfile=/etc/etc/yubikey_passwd
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth


And here is the content of /etc/openvpn/openvpn.conf

Code:
port 1194
proto udp
dev tun0

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/sv-inf-int-vpn-01.crt
key /etc/openvpn/keys/sv-inf-int-vpn-01.key
dh /etc/openvpn/keys/dh1024.pem

server 10.8.42.0 255.255.255.0
ifconfig-pool-persist ipp.txt

client-to-client

keepalive 10 120

comp-lzo
max-clients 100

user root
group root

# of the privilege downgrade.
persist-key
persist-tun

status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log

verb 6

# Ne requiert pas de certificat pour les clients
client-cert-not-required

# Seuls les users locaux du serveur peuvent se connecter au vpn (login)
# plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so login

# Enable PAM modules openvpn (yubikey)
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn

push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1"


Could you please tell me how to get it work ?

Regards,

Author:  Fredrik-at-Yubico [ Wed Dec 07, 2011 2:55 pm ]
Post subject:  Re: Help on integration Yubico_pam + openvpn

Enable debug logging of the PAM module as per the ReadMe :

touch /var/run/pam-debug.log
chmod go+w /var/run/pam-debug.log
tail -f /var/run/pam-debug.log

and also, it seems your /etc/pam.d/openvpn file contains an extra /etc in the filename of the authfile parameter

auth required pam_yubico.so id=16 debug authfile=/etc/etc/yubikey_passwd

/Fredrik

Author:  mako [ Fri Mar 08, 2013 5:27 pm ]
Post subject:  Re: Help on integration Yubico_pam + openvpn

According to man pam_nologin
directive account required pam_nologin.so will allow only root user.
It is good to note, because lot of user want to make connection for common users, and they are confused.
For me, better solution is to replace (/etc/pam.d/openvpn) line above with
account required pam_succeed_if.so uid = 1000 quiet and define UID exactly

my Ubuntu config, redhat has system-auth

auth required pam_yubico.so mode=client try_first_pass id=16 debug authfile=/etc/yubikey_mappings
auth include common-auth
#account required pam_nologin.so
account required pam_succeed_if.so uid = 1000 quiet
account include common-auth
password include common-auth
session include common-auth

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/