Configuration Yubikey with OpenVPN

[lexASR]

Hello everyone,

I have an OpenVPN in 2.4.7 on Debian 10.
The authentication with certificates is working.

To add more security, I want configure my service with Yubikey.
I have follow this procedure https://developers.yubico.com/yubico-pa ... a_PAM.html without FreeRadius and it's not working.
I contact directly the Yubikey support and they have reproduce the problem on Ubuntu.
Finaly they told to me, the problem came from OpenVPN.

Any pepole have configure in success the 2FA with Yubikey?

[TinCanTech]

Finaly they told to me, the problem came from OpenVPN

You will have to try harder than that .. What problem ?

viewtopic.php?f=30&t=22603

[lexASR]

Hello,

I want to configure an OpenVPN server OpenSource v 2.4.7 with Yubikeys.
So, I have install OpenVPN, configure the first client and test the connection with simply certificate authentication, it's work.
After that, I have follow the procedure https://developers.yubico.com/yubico-pa ... a_PAM.html to install the Yubikey .pam without freeradius. I have install and configure the pam file like:

/etc/pam.d/yubi-pam

Code: Select all

auth sufficient pam_yubico.so id=xxx key=xxx authfile/etc/yubikey_mappings
account required  pam_yubico.so
debug debug_file = /var/log/pam_yubico.log

/etc/yubikey_mapping

Code: Select all

user: ccc.....

/etc/pam.d/openvpn-pam

Code: Select all

 auth             required       yubi-pam.so authfile=/etc/yubikey_mappings id=xxxx debug
auth             include        system-auth
account          required       pam_nologin.so
account          include        system-auth
password         include        system-auth
session          include        system-auth 

I add lines in my openvpn configuration:

Code: Select all

 plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
username-as-common-name 

On my client configuration, I add the line:

Code: Select all

 auth-user-pass 

And I start the connection. The client VPN ask me the Yubikey and for my certificate password. After few seconds, the authentication failed.
You can see the server logs:

Code: Select all

Mon Aug  3 10:00:39 2020 us=352502 MULTI: multi_create_instance called
Mon Aug  3 10:00:39 2020 us=352724 @IP-CLIENT:49509 Re-using SSL/TLS context
Mon Aug  3 10:00:39 2020 us=353080 @IP-CLIENT:49509 Control Channel MTU parms [ L:1621 D:1172 EF:78 EB:0 ET:0 EL:3 ]
Mon Aug  3 10:00:39 2020 us=353119 @IP-CLIENT:49509 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Mon Aug  3 10:00:39 2020 us=353182 @IP-CLIENT:49509 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-server'
Mon Aug  3 10:00:39 2020 us=353190 @IP-CLIENT:49509 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-CBC,auth SHA256,keysize 256,tls-auth,key-method 2,tls-client'
Mon Aug  3 10:00:39 2020 us=353227 @IP-CLIENT:49509 TLS: Initial packet from [AF_INET]@IP-CLIENT:49509, sid=2e9b1913 b78ad8fc
Mon Aug  3 10:00:39 2020 us=472635 @IP-CLIENT:49509 VERIFY OK: depth=1, CN=OpenVPN CA
Mon Aug  3 10:00:39 2020 us=472964 @IP-CLIENT:49509 VERIFY OK: depth=0, CN=user
Mon Aug  3 10:00:39 2020 us=531641 @IP-CLIENT:49509 peer info: IV_VER=2.4.8
Mon Aug  3 10:00:39 2020 us=531731 @IP-CLIENT:49509 peer info: IV_PLAT=win
Mon Aug  3 10:00:39 2020 us=531796 @IP-CLIENT:49509 peer info: IV_PROTO=2
Mon Aug  3 10:00:39 2020 us=531831 @IP-CLIENT:49509 peer info: IV_NCP=2
Mon Aug  3 10:00:39 2020 us=531864 @IP-CLIENT:49509 peer info: IV_LZ4=1
Mon Aug  3 10:00:39 2020 us=531898 @IP-CLIENT:49509 peer info: IV_LZ4v2=1
Mon Aug  3 10:00:39 2020 us=531930 @IP-CLIENT:49509 peer info: IV_LZO=1
Mon Aug  3 10:00:39 2020 us=531962 @IP-CLIENT:49509 peer info: IV_COMP_STUB=1
Mon Aug  3 10:00:39 2020 us=531996 @IP-CLIENT:49509 peer info: IV_COMP_STUBv2=1
Mon Aug  3 10:00:39 2020 us=532029 @IP-CLIENT:49509 peer info: IV_TCPNL=1
Mon Aug  3 10:00:39 2020 us=532062 @IP-CLIENT:49509 peer info: IV_GUI_VER=OpenVPN_GUI_11
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: user
AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Module is unknown
Mon Aug  3 10:00:39 2020 us=536118 @IP-CLIENT:49509 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Mon Aug  3 10:00:39 2020 us=536149 @IP-CLIENT:49509 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Mon Aug  3 10:00:39 2020 us=536184 @IP-CLIENT:49509 TLS Auth Error: Auth Username/Password verification failed for peer
Mon Aug  3 10:00:39 2020 us=590053 @IP-CLIENT:49509 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Mon Aug  3 10:00:39 2020 us=590103 @IP-CLIENT:49509 [user] Peer Connection Initiated with [AF_INET]@IP-CLIENT:49509
Mon Aug  3 10:00:40 2020 us=679837 @IP-CLIENT:49509 PUSH: Received control message: 'PUSH_REQUEST'
Mon Aug  3 10:00:40 2020 us=679941 @IP-CLIENT:49509 Delayed exit in 5 seconds
Mon Aug  3 10:00:40 2020 us=680013 @IP-CLIENT:49509 SENT CONTROL [user]: 'AUTH_FAILED' (status=1)
Mon Aug  3 10:00:46 2020 us=102102 @IP-CLIENT:49509 SIGTERM[soft,delayed-exit] received, client-instance exiting

We can see the line "AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Module is unknown".
I think it's the same error which had the Yubikey support. They told me the problem come before the yubi-pam be called.

This is my server configuration:

Code: Select all

local 
port 1194
proto udp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/openvpn-server.crt
key /etc/openvpn/certs/openvpn-server.key  # This file should be kept secret
dh /etc/openvpn/certs/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
username-as-common-name 

The client logs don't have interessants informations.

I send my configuration to the Yubikey support and they valided it.
After that, the Yubikey support have reproduce the problem on Ubuntu and they deducted the problem come from the OpenVPN version.

Somebody have the same problem ? And Somebody have Yubikey working in VPN server ?

[TinCanTech]

AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Module is unknown

Same problem here:
viewtopic.php?f=6&t=30674#p93410

[lexASR]

Ok thank you !
It's resolv the problem but now I have this message:

Code: Select all

AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Permission denied

[TinCanTech]

viewtopic.php?f=6&t=30674&p=93560#p93550

[lexASR]

Hello,

I saw your answer in your url but and I have question.
My user need to be create via the adduser command ?

[lexASR]

Hello,

My problem is resolv. this is my configuration.

/etc/openvpn/server.conf

Code: Select all

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
client-to-client

/etc/pam.d/yubi-pam

Code: Select all

auth sufficient pam_yubico.so id=xxxx key=xxx authfile=/etc/yubikey_mappings
debug debug_file=/var/run/pam-debug.log

/etc/pam.d/openvpn

Code: Select all

auth             sufficient       pam_yubico.so authfile=/etc/yubikey_mappings id=xxxxx debug

Thank you for your help