Integrating OpenVPN and Yubikey

Integrating Yubikey into OpenVPN is pretty straightforward, first, you need to download the Yubico C client and PAM library. Then, add these three lines into /etc/openvpn/server.conf:

plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name

The "openvpn" is the pam module filename located in /etc/pam.d. In client.ovpn, add this line:

user-auth-pass

Now, in /etc/pam.d, create a mapping file for your users. The format of the file is:

username:publicId


Where publicId is the first 12 ASCII characters of your OTP from the Yubikey. My mapping file is called yubimap. Now create /etc/pam.d/openvpn file containing the following line:


auth required /usr/local/lib/security/pam_yubico.so authfile=/etc/pam.d/yubimap id=16
@include common-auth
@include common-account
@include common-session
@include common-password

That's supposed to be it. However I ran into a problem where the PAM authentication spits out this error:


PAM [error: /lib/security/pam_yubico.so: undefined symbol: pam_set_data]
pam_authenticate FAILED for . Reason: Module is unknown


The solution for this is to modify the /etc/init.d/openvpn script and add to the beginning of the file:

export LD_PRELOAD=/lib/libpam.so.0.81.6


And that's all. The Yubikey is now required for OpenVPN authentication.
Posted by herry
Friday, July 31, 2009 11:44 PM
Labels:

1 comments :: Integrating OpenVPN and Yubikey

  1. do you mean auth-user-pass

    Lucien Boland

    August 19, 2009 at 4:13 AM

Post a Comment

Subscribe to: Post Comments (Atom)