OpenVPN PAM/Yubico
-
Hi,
I've tried using a pam-module to authenticate users in addition to the certificates.
When I use only SSL/TLS with internal two-tier PKI, everything works like a charm, but when I add the following line, everything stops working:
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
Strangely enough, though - the server says that the PAM module has successfully authenticated.
Feb 10 23:22:57 openvpn[17342]: Inactivity timeout (–ping-restart), restarting
Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): returning PAM_SUCCESS
Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): entering: PAM_CONV
Feb 10 23:22:57 openvpn[17342]: in pam_get_user(): returning PAM_SUCCESS
Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): returning PAM_SUCCESS
Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): entering: PAM_USER
Feb 10 23:22:57 openvpn[17342]: in pam_get_user(): entering
Feb 10 23:22:57 openvpn[17342]: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/local/lib/security/pam_yubico.so
Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY OK: depth=0
Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY SCRIPT OK: depth=0
Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY OK: depth=1
Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY SCRIPT OK: depth=1
Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY OK: depth=2
Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY SCRIPT OK: depth=2
Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:44888, sid=aef67ba9 533fbc51
Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Expected Remote Options hash (VER=V4): 'df9aa7c6'
Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Local Options hash (VER=V4): 'e6ffcd12'
Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1589,tun-mtu 1532,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Local Options String: 'V4,dev-type tap,link-mtu 1589,tun-mtu 1532,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'However, the client just times out, and then says tls key negotiation failed after 60 seconds.
How can i proceed?
-
I have exactly this problem. Did you find a solution OP?
-
While I was trying to get this to work, I found this post about re-compiling curl (as the symptoms sounded similar–auth looks to have passed but TLS fails after a timeout)... though from what I understand it's not recommended to customize your firewall firmware too significantly?
https://github.com/Yubico/yubico-pam/issues/55
All other aspects of auth work for standard cert-based VPN connection which we run on two multi-WAN, multi-firewall networks, but when I enable yubi-auth in PAM, I get exactly the same log messages as the OP.
We've been running yubi-auth for SSH and I'm realizing that probably the better solution is to have yubi-auth (+certs or user auth) for VPN and only have PKI for SSH (so that it is never a hindrance for scripted deployments). I'd really like to get this working.
-
Hi,
The way I got this working was via another FreeBSD instance and creating a separate curl-package with cares-support (https://github.com/Yubico/yubico-pam/issues/55 - is in fact my post).
However, this is not at all good, since every update of pfSense breaks the package, and you need to reinstall the precompiled port. This is why I tweeted pfsense a while back urging them to ship pfSense with cURL-cares (https://twitter.com/ict_sec/status/648418038807724032).
I just jotted down a few notes to help me remember what I did on a separate FreeBSD instance to get it working, with the guidance from http://mjslabs.com/yubihow.html.
mv /usr/ports /usr/ports.bak pkg install subversion svn checkout https://svn0.eu.FreeBSD.org/ports/head /usr/ports make config make install pkg create /usr/ports/ftp/curl
Transfer the newly created .txz file to the pfsense machine and install with pkg add curl-XXXX.txz