Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 3:16 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 2 posts ] 
Author Message
PostPosted: Tue Oct 05, 2010 10:02 pm 
Offline

Joined: Fri Oct 01, 2010 9:21 pm
Posts: 2
Hello I just received my yubikey and I am trying to configure openvpn with pam on CentOS 5.5 32 bits (tried on 64 bits too). I m not using radius

I install ykclient and can get auth with the api.yubico.com server

I can connect and use openvpn with certs + username +password.
I modified the server file for the yubikey+openvpn (last line)

server.conf
Code:
local 192.168.4.16
port 443
proto tcp
dev tun
ca    /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert    /etc/openvpn/easy-rsa/2.0/keys/vpn.lexum.com.crt
crl-verify /etc/openvpn/easy-rsa/2.0/keys/crl.pem
dh /etc/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 192.168.5.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push  "dhcp-option WINS 192.168.4.29"
keepalive 10 120
comp-lzo
user   openvpn
group    openvpn
persist-key
persist-tun
status openvpn-status.log
log-append  /var/log/openvpn.log
verb 3
username-as-common-name
plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn


Now I create several files :
/etc/pam.d/openvpn
Code:
#%PAM-1.0
auth required /lib/security/pam_yubico.so id=2 authfile=/etc/openvpn/yubikey_mapping
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth


and /etc/openvpn/yubikey_mapping
Code:
user1:ccccceedtieb


Now on the windows station I launch the openvpn client and type at the prompt:
username
password+press the yubikey to get the OTP

But I have this error :
Quote:
PAM unable to dlopen(/lib/security/pam_yubico.so)
Oct 5 16:46:41 parma openvpn[3730]: PAM [error: /lib/security/pam_yubico.so: undefined symbol: pam_set_data]
Oct 5 16:46:41 parma openvpn[3730]: PAM adding faulty module: /lib/security/pam_yubico.so


There is no connection to the api.yubico.com (using tcpdump)

I tried with pam_yubico 2.1.2 (EPEL repository) and 2.5 from source bu the problem is always the same

Any idea ?

TX


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Oct 08, 2010 7:25 pm 
Offline

Joined: Fri Oct 01, 2010 9:21 pm
Posts: 2
I found the problem :
I had the following line to /etc/init.d/openvpn:
Code:
export LD_PRELOAD=/lib64/libpam.so.0.81.5

Software used :
Centos 5.5 (64 bits )+ EPEL repo. All packages below from this repo
ykclient-2.2-1.el5
openvpn-2.1.1-2.el5
pam_yubico-2.1-2.el5

I used /etc/pam.d/login to create /etc/pam.d/openvpn
Code:
#%PAM-1.0
auth       required     pam_yubico.so authfile=/etc/yubikey_mappings id=16 debug
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke


And modified /etc/openvpn/server.conf

Code:
username-as-common-name
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-pam.so openvpn


I hope this help


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group