Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenVPN + LDAP + Yubico #229

Open
wolf-allywilson opened this issue Jul 16, 2021 · 4 comments
Open

OpenVPN + LDAP + Yubico #229

wolf-allywilson opened this issue Jul 16, 2021 · 4 comments

Comments

@wolf-allywilson
Copy link

I can get OpenVPN working with pam_ldap fine. I can also get it working with pam_yubico using a local auth file fine. I can't seem to get it working with pam_yubico and the LDAP settings though.

Here is my /etc/pam.d/openvpn:

auth required pam_yubico.so verbose_otp debug id=16 ldap_uri=ldap://my.ldap.server yubi_attr=pager ldapdn=DC=my,DC=domain ldap_filter=(uid=%u) [ldap_bind_user=cn=My User,ou=people,dc=my,dc=domain] ldap_bind_password=MyPassword
account required pam_yubico.so

I know it performs an LDAP bind and returns a user with the required attribute as I can see it in tcpdump.

I have my openVPN client configured to ask for the OTP using static-challenge, so authentication request is:
Username prompt
LDAP Password prompt
OTP prompt

Looking at the examples I've found online (for SSH for example), it seems I should just use:
Username prompt
LDAP Password + OTP prompt (i.e. type password and put in OTP in the same field)

I've tried that, and get the same issue unfortunately.

Here's the output from my openvpn server log:

Fri Jul 16 08:37:34 2021 us=1298 MULTI: multi_create_instance called
Fri Jul 16 08:37:34 2021 us=1375 Re-using SSL/TLS context
Fri Jul 16 08:37:34 2021 us=1403 LZO compression initializing
Fri Jul 16 08:37:34 2021 us=1541 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Fri Jul 16 08:37:34 2021 us=1560 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Fri Jul 16 08:37:34 2021 us=1625 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Fri Jul 16 08:37:34 2021 us=1637 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Fri Jul 16 08:37:34 2021 us=1680 TCP connection established with [AF_INET]172.27.202.17:58464
Fri Jul 16 08:37:34 2021 us=1694 TCPv4_SERVER link local: (not bound)
Fri Jul 16 08:37:34 2021 us=1700 TCPv4_SERVER link remote: [AF_INET]172.27.202.17:58464
Fri Jul 16 08:37:34 2021 us=984976 172.27.202.17:58464 TLS: Initial packet from [AF_INET]172.27.202.17:58464, sid=dc3c3bf6 53ba8323
Fri Jul 16 08:37:35 2021 us=202703 172.27.202.17:58464 peer info: IV_VER=2.4.11
Fri Jul 16 08:37:35 2021 us=202765 172.27.202.17:58464 peer info: IV_PLAT=mac
Fri Jul 16 08:37:35 2021 us=202772 172.27.202.17:58464 peer info: IV_PROTO=2
Fri Jul 16 08:37:35 2021 us=202778 172.27.202.17:58464 peer info: IV_NCP=2
Fri Jul 16 08:37:35 2021 us=202783 172.27.202.17:58464 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Fri Jul 16 08:37:35 2021 us=202787 172.27.202.17:58464 peer info: IV_LZ4=1
Fri Jul 16 08:37:35 2021 us=202791 172.27.202.17:58464 peer info: IV_LZ4v2=1
Fri Jul 16 08:37:35 2021 us=202796 172.27.202.17:58464 peer info: IV_LZO=1
Fri Jul 16 08:37:35 2021 us=202801 172.27.202.17:58464 peer info: IV_COMP_STUB=1
Fri Jul 16 08:37:35 2021 us=202811 172.27.202.17:58464 peer info: IV_COMP_STUBv2=1
Fri Jul 16 08:37:35 2021 us=202816 172.27.202.17:58464 peer info: IV_TCPNL=1
Fri Jul 16 08:37:35 2021 us=202821 172.27.202.17:58464 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5671_3.8.5a__build_5671)"
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: myUID
debug: pam_yubico.c:838 (parse_cfg): called.
debug: pam_yubico.c:839 (parse_cfg): flags 0 argc 9
debug: pam_yubico.c:841 (parse_cfg): argv[0]=verbose_otp
debug: pam_yubico.c:841 (parse_cfg): argv[1]=debug
debug: pam_yubico.c:841 (parse_cfg): argv[2]=id=16
debug: pam_yubico.c:841 (parse_cfg): argv[3]=ldap_uri=ldap://my.ldap.server
debug: pam_yubico.c:841 (parse_cfg): argv[4]=yubi_attr=pager
debug: pam_yubico.c:841 (parse_cfg): argv[5]=ldapdn=DC=my,DC=domain
debug: pam_yubico.c:841 (parse_cfg): argv[6]=ldap_filter=(uid=%u)
debug: pam_yubico.c:841 (parse_cfg): argv[7]=ldap_bind_user=cn=My User,ou=people,DC=my,DC=domain
debug: pam_yubico.c:841 (parse_cfg): argv[8]=ldap_bind_password=MyPassword
debug: pam_yubico.c:842 (parse_cfg): id=16
debug: pam_yubico.c:843 (parse_cfg): key=(null)
debug: pam_yubico.c:844 (parse_cfg): debug=1
debug: pam_yubico.c:845 (parse_cfg): debug_file=1
debug: pam_yubico.c:846 (parse_cfg): alwaysok=0
debug: pam_yubico.c:847 (parse_cfg): verbose_otp=1
debug: pam_yubico.c:848 (parse_cfg): try_first_pass=0
debug: pam_yubico.c:849 (parse_cfg): use_first_pass=0
debug: pam_yubico.c:850 (parse_cfg): nullok=0
debug: pam_yubico.c:851 (parse_cfg): authfile=(null)
debug: pam_yubico.c:852 (parse_cfg): ldapserver=(null)
debug: pam_yubico.c:853 (parse_cfg): ldap_uri=ldap://my.ldap.server
debug: pam_yubico.c:854 (parse_cfg): ldap_bind_user=cn=My User,ou=people,DC=my,DC=domain
debug: pam_yubico.c:855 (parse_cfg): ldap_bind_password=MyPassword
debug: pam_yubico.c:856 (parse_cfg): ldap_filter=(uid=%u)
debug: pam_yubico.c:857 (parse_cfg): ldap_cacertfile=(null)
debug: pam_yubico.c:858 (parse_cfg): ldapdn=DC=my,DC=domain
debug: pam_yubico.c:859 (parse_cfg): user_attr=(null)
debug: pam_yubico.c:860 (parse_cfg): yubi_attr=pager
debug: pam_yubico.c:861 (parse_cfg): yubi_attr_prefix=(null)
debug: pam_yubico.c:862 (parse_cfg): url=(null)
debug: pam_yubico.c:863 (parse_cfg): urllist=(null)
debug: pam_yubico.c:864 (parse_cfg): capath=(null)
debug: pam_yubico.c:865 (parse_cfg): cainfo=(null)
debug: pam_yubico.c:866 (parse_cfg): proxy=(null)
debug: pam_yubico.c:867 (parse_cfg): token_id_length=12
debug: pam_yubico.c:868 (parse_cfg): mode=client
debug: pam_yubico.c:869 (parse_cfg): chalresp_path=(null)
debug: pam_yubico.c:899 (pam_sm_authenticate): pam_yubico version: 2.26
debug: pam_yubico.c:914 (pam_sm_authenticate): get user returned: myUID
debug: pam_yubico.c:252 (authorize_user_token_ldap): called
debug: pam_yubico.c:291 (authorize_user_token_ldap): try bind with: cn=My User,ou=people,DC=my,DC=domain:[MyPassword]
debug: pam_yubico.c:322 (authorize_user_token_ldap): LDAP : look up object base='DC=my,DC=domain' filter='(uid=myUID)', ask for attribute 'pager'
debug: pam_yubico.c:360 (authorize_user_token_ldap): LDAP : Found 1 values for pager - checking if any of them match ':(null)'
debug: pam_yubico.c:368 (authorize_user_token_ldap): LDAP : Checking value 1: :zzxxccvvbbnn
debug: pam_yubico.c:1034 (pam_sm_authenticate): Tokens found for user
debug: pam_yubico.c:1096 (pam_sm_authenticate): conv returned 7 bytes
debug: pam_yubico.c:1111 (pam_sm_authenticate): Skipping first 0 bytes. Length is 7, token_id set to 12 and token OTP always 32.
debug: pam_yubico.c:1118 (pam_sm_authenticate): OTP: myUID ID: myUID
debug: pam_yubico.c:252 (authorize_user_token_ldap): called
debug: pam_yubico.c:291 (authorize_user_token_ldap): try bind with: cn=My User,ou=people,DC=my,DC=domain:[MyPassword]
debug: pam_yubico.c:322 (authorize_user_token_ldap): LDAP : look up object base='DC=my,DC=domain' filter='(uid=myUID)', ask for attribute 'pager'
debug: pam_yubico.c:360 (authorize_user_token_ldap): LDAP : Found 1 values for pager - checking if any of them match ':myUID'
debug: pam_yubico.c:368 (authorize_user_token_ldap): LDAP : Checking value 1: :zzxxccvvbbnn
debug: pam_yubico.c:1180 (pam_sm_authenticate): Unauthorized token for this user
debug: pam_yubico.c:1220 (pam_sm_authenticate): done. [Authentication failure]
debug: pam_yubico.c:838 (parse_cfg): called.
debug: pam_yubico.c:83AUTH-PAM: BACKGROUND: my_conv[0] query='YubiKey for `myUID': ' style=2
AUTH-PAM: BACKGROUND: user 'myUID' failed to authenticate: Authentication failure
Fri Jul 16 08:37:35 2021 us=216105 172.27.202.17:58464 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Jul 16 08:37:35 2021 us=216133 172.27.202.17:58464 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Fri Jul 16 08:37:35 2021 us=216180 172.27.202.17:58464 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Jul 16 08:37:35 2021 us=240859 172.27.202.17:58464 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Fri Jul 16 08:37:35 2021 us=240923 172.27.202.17:58464 Peer Connection Initiated with [AF_INET]172.27.202.17:58464
Fri Jul 16 08:37:36 2021 us=444737 172.27.202.17:58464 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jul 16 08:37:36 2021 us=444792 172.27.202.17:58464 Delayed exit in 5 seconds
Fri Jul 16 08:37:36 2021 us=444803 172.27.202.17:58464 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Fri Jul 16 08:37:36 2021 us=499874 172.27.202.17:58464 Connection reset, restarting [0]
Fri Jul 16 08:37:36 2021 us=499940 172.27.202.17:58464 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Jul 16 08:37:36 2021 us=499998 TCP/UDP: Closing socket

I believe the issue is identified here:

debug: pam_yubico.c:1118 (pam_sm_authenticate): OTP: myUID ID: myUID

Something is making it use my username as the OTP?

pam_yubico version: 2.26
OS: Amazon Linux 2 (4.14.232-177.418.amzn2.aarch64)
LDAP: OpenLDAP 2.x

@rains31
Copy link

rains31 commented Mar 22, 2022

i have the same issue

@KeystoneJack
Copy link

I have the exact same issue!
Any workaround?

@wolf-allywilson
Copy link
Author

I never revisited this unfortunately, so did not find a solution.

@KeystoneJack
Copy link

Too bad!
Pinging @klali for help on this since it’s kind of a blocker.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants