Discussion:
RFC: Yubikey authentication for OpenVPN.
(too old to reply)
Steven Haigh
2017-06-12 15:35:02 UTC
Permalink
Raw Message
Hi all,

I have attached this script for comment to be considered for inclusion in the
contrib section of openvpn to use the Yubico Yubicloud authentication for the
Yubikey OTP.

Place the script in /etc/openvpn and configure as follows:

script-security 2
client-connect /etc/openvpn/yubikey-auth-tokens
auth-user-pass-verify /etc/openvpn/yubikey-auth-tokens via-file
client-cert-not-required
username-as-common-name

Right now, this requires 'reneg-sec 0' be set in the openvpn server config
file due to some issues in handling auth tokens in various configurations -
however hopefully when this gets fixed, it will keep the connection running
with an auth-token after the initial authentication by OTP.

Edit the yubikey-auth-tokens script and edit the %yubikeys hash with your list
of usernames and associated yubikey IDs.

Happy to receive feedback on the script, its operation, or implementation.
--
Steven Haigh

📧 ***@crc.id.au 💻 http://www.crc.id.au
📞 +61 (3) 9001 6090 📱 0412 935 897
Steven Haigh
2017-06-14 14:57:35 UTC
Permalink
Raw Message
Post by Steven Haigh
script-security 2
client-connect /etc/openvpn/yubikey-auth-tokens
auth-user-pass-verify /etc/openvpn/yubikey-auth-tokens via-file
client-cert-not-required
username-as-common-name
Why the last two entries? client-cert-not-required is not something one
should encourage users to do. Apart from that yubikey verification may have
to be done asynchronously (using deferred auth), else connections to all
clients will stall during each verification which may take some time.
In my setup, I use username + OTP. I don't provide a client cert to each
client.

I wonder if I could use $ENV{'username'} in client-connect instead to make
this a little more consistent. This would remove the need to 'username-as-
common-name' to be set.

How would a client cert as well as username/OTP affect this flow? Is that
expected to be verified by client-connect or another script? or is the cert
validation done elsewhere - by openvpn in this case I guess?
--
Steven Haigh

📧 ***@crc.id.au 💻 http://www.crc.id.au
📞 +61 (3) 9001 6090 📱 0412 935 897
Loading...