yubico otp / pam / openvpn

Written by
Walter Doekes
Published on 2021-04-26

Quick notes on setting up pam_yubico.so with OpenVPN.

Add to OpenVPN server config:

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

# Use a generated token instead of user/password for up
# to 16 hours, so you'll need to re-enter your otp daily.
auth-gen-token 57600

Sign up at https://upgrade.yubico.com/getapikey/. It's really quick. Store client_id and secret (or id and key respectively). You'll need them in the config below.

Get PAM module:

# apt-get install --no-install-recommends libpam-yubico

Create /etc/pam.d/openvpn:

# This file is called /etc/pam.d/openvpn; and it is used by openvpn through:
# plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

# Settings for pam_yubico.so
# --------------------------
# debug
#   yes, we want debugging (DISABLE when done)
# debug_file=stderr
#   stdout/stderr/somefile all go to journald;
#   but stdout will get truncated because it's not flush()ed.
# mode=client
#   client for OTP validation
# authfile=/etc/openvpn/server/authorized_yubikeys
#   the file with "USERNAME:YUBI1[:YUBI2:...]" lines
# #alwaysok
#   this is the dry-run (allow all)
# #use_first_pass/try_first_pass
#   do NOT use these for openvpn/openssh; the password is fetched
#   through PAM_CONV:
#   > pam_yubico.c:935 (pam_sm_authenticate): get password returned: (null)
# #verbose_otp
#   do NOT use this for openvpn/openssh; it will break password input
#   without any meaningful debug info:
#   > pam_yubico.c:1096 (pam_sm_authenticate): conv returned 1 bytes
#   > pam_yubico.c:1111 (pam_sm_authenticate): Skipping first 0 bytes. [...]
#   > pam_yubico.c:1118 (pam_sm_authenticate): OTP: username ID: username

# First, the username+password is checked:
auth required pam_yubico.so debug debug_file=stderr mode=client authfile=/etc/openvpn/server/authorized_yubikeys id=<client_id> key=<secret>

# Second, an account is needed: pam_sm_acct_mgmt returning PAM_SUCCESS
# (It checks the value of 'yubico_setcred_return' which was set by
# pam_sm_authenticate.) This one needs no additional config:
account required pam_yubico.so debug debug_file=stderr

As you can see in the comments above, some of that config had me puzzled for a while.

The above should be sufficient to get a second factor (2FA) for OpenVPN logins, next to your valid certificate. But, as someone immediately cleverly pointed out: if you use it like this, you have 2 x 1FA. Not 2FA.

That means that the usefulness of this is limited...

yubico otp / pam / openvpn

yubico otp / pam / openvpn

Location

Links

OSSO B.V.