OpenVPN PAM/Yubico



  • Hi,

    I've tried using a pam-module to authenticate users in addition to the certificates.

    When I use only SSL/TLS with internal two-tier PKI, everything works like a charm, but when I add the following line, everything stops working:

    plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

    Strangely enough, though - the server says that the PAM module has successfully authenticated.

    Feb 10 23:22:57 openvpn[17342]: Inactivity timeout (–ping-restart), restarting
    Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): returning PAM_SUCCESS
    Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): entering: PAM_CONV
    Feb 10 23:22:57 openvpn[17342]: in pam_get_user(): returning PAM_SUCCESS
    Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): returning PAM_SUCCESS
    Feb 10 23:22:57 openvpn[17342]: in pam_get_item(): entering: PAM_USER
    Feb 10 23:22:57 openvpn[17342]: in pam_get_user(): entering
    Feb 10 23:22:57 openvpn[17342]: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/local/lib/security/pam_yubico.so
    Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY OK: depth=0
    Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY SCRIPT OK: depth=0
    Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY OK: depth=1
    Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY SCRIPT OK: depth=1
    Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY OK: depth=2
    Feb 10 23:22:57 openvpn[18404]: xxx.xxx.xxx.xxx:44888 VERIFY SCRIPT OK: depth=2
    Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:44888, sid=aef67ba9 533fbc51
    Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Expected Remote Options hash (VER=V4): 'df9aa7c6'
    Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Local Options hash (VER=V4): 'e6ffcd12'
    Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1589,tun-mtu 1532,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Feb 10 23:22:55 openvpn[18404]: xxx.xxx.xxx.xxx:44888 Local Options String: 'V4,dev-type tap,link-mtu 1589,tun-mtu 1532,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server'

    However, the client just times out, and then says tls key negotiation failed after 60 seconds.

    How can i proceed?



  • I have exactly this problem. Did you find a solution OP?



  • While I was trying to get this to work, I found this post about re-compiling curl (as the symptoms sounded similar–auth looks to have passed but TLS fails after a timeout)... though from what I understand it's not recommended to customize your firewall firmware too significantly?

    https://github.com/Yubico/yubico-pam/issues/55

    All other aspects of auth work for standard cert-based VPN connection which we run on two multi-WAN, multi-firewall networks, but when I enable yubi-auth in PAM, I get exactly the same log messages as the OP.

    We've been running yubi-auth for SSH and I'm realizing that probably the better solution is to have yubi-auth (+certs or user auth) for VPN and only have PKI for SSH (so that it is never a hindrance for scripted deployments). I'd really like to get this working.



  • Hi,

    The way I got this working was via another FreeBSD instance and creating a separate curl-package with cares-support (https://github.com/Yubico/yubico-pam/issues/55 - is in fact my post).

    However, this is not at all good, since every update of pfSense breaks the package, and you need to reinstall the precompiled port. This is why I tweeted pfsense a while back urging them to ship pfSense with cURL-cares (https://twitter.com/ict_sec/status/648418038807724032).

    I just jotted down a few notes to help me remember what I did on a separate FreeBSD instance to get it working, with the guidance from http://mjslabs.com/yubihow.html.

    mv /usr/ports /usr/ports.bak
    pkg install subversion
    svn checkout https://svn0.eu.FreeBSD.org/ports/head /usr/ports
    make config
    make install
    pkg create /usr/ports/ftp/curl 
    

    Transfer the newly created .txz file to the pfsense machine and install with pkg add curl-XXXX.txz


Log in to reply