Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN PAM/Yubico

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      davand01
      last edited by

      Hi,

      I've tried using a pam-module to authenticate users in addition to the certificates.

      When I use only SSL/TLS with internal two-tier PKI, everything works like a charm, but when I add the following line, everything stops working:

      plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

      Strangely enough, though - the server says that the PAM module has successfully authenticated.

      Feb 10 23:22:57 openvpn[17342]: Inactivity timeout (–ping-restart), restarting
      Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): returning PAM_SUCCESS
      Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): entering: PAM_CONV
      Feb 10 23:22:57 openvpn[17342]: in pam_get_user(): returning PAM_SUCCESS
      Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): returning PAM_SUCCESS
      Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): entering: PAM_USER
      Feb 10 23:22:57 openvpn[17342]: in pam_get_user(): entering
      Feb 10 23:22:57 openvpn[17342]: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/local/lib/security/pam_yubico.so
      Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY OK: depth=0
      Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY SCRIPT OK: depth=0
      Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY OK: depth=1
      Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY SCRIPT OK: depth=1
      Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY OK: depth=2
      Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY SCRIPT OK: depth=2
      Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:44888, sid=aef67ba9 533fbc51
      Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Expected Remote Options hash (VER=V4): 'df9aa7c6'
      Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Local Options hash (VER=V4): 'e6ffcd12'
      Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1589,tun-mtu 1532,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
      Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Local Options String: 'V4,dev-type tap,link-mtu 1589,tun-mtu 1532,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'

      However, the client just times out, and then says tls key negotiation failed after 60 seconds.

      How can i proceed?

      1 Reply Last reply Reply Quote 0
      • S
        sideburnie
        last edited by

        I have exactly this problem. Did you find a solution OP?

        1 Reply Last reply Reply Quote 0
        • S
          sideburnie
          last edited by

          While I was trying to get this to work, I found this post about re-compiling curl (as the symptoms sounded similar–auth looks to have passed but TLS fails after a timeout)... though from what I understand it's not recommended to customize your firewall firmware too significantly?

          https://github.com/Yubico/yubico-pam/issues/55

          All other aspects of auth work for standard cert-based VPN connection which we run on two multi-WAN, multi-firewall networks, but when I enable yubi-auth in PAM, I get exactly the same log messages as the OP.

          We've been running yubi-auth for SSH and I'm realizing that probably the better solution is to have yubi-auth (+certs or user auth) for VPN and only have PKI for SSH (so that it is never a hindrance for scripted deployments). I'd really like to get this working.

          1 Reply Last reply Reply Quote 0
          • D
            davand01
            last edited by

            Hi,

            The way I got this working was via another FreeBSD instance and creating a separate curl-package with cares-support (https://github.com/Yubico/yubico-pam/issues/55 - is in fact my post).

            However, this is not at all good, since every update of pfSense breaks the package, and you need to reinstall the precompiled port. This is why I tweeted pfsense a while back urging them to ship pfSense with cURL-cares (https://twitter.com/ict_sec/status/648418038807724032).

            I just jotted down a few notes to help me remember what I did on a separate FreeBSD instance to get it working, with the guidance from http://mjslabs.com/yubihow.html.

            mv /usr/ports /usr/ports.bak
pkg install subversion
svn checkout https://svn0.eu.FreeBSD.org/ports/head /usr/ports
make config
make install
pkg create /usr/ports/ftp/curl

            Transfer the newly created .txz file to the pfsense machine and install with pkg add curl-XXXX.txz

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.