Yubico-pam with openvpn auth fails time to time

[ismailyenigul]

I am using Openvpn server on Ubuntu 18 and configured yubikey OTP.

it is working fine but one week later, I can't login vpn until I restart opevpn service manually without changing any parameter. What could be the issue?

I use MacOS with IV_GUI_VER="net.tunnelblick.tunnelblick_5180_3.7.8__build_5180)"
Here is some logs when I got login failure.
There are ı garbage chars in the token

debug: pam_yubico.c:1096 (pam_sm_authenticate): conv returned 46 bytes
debug: pam_yubico.c:1111 (pam_sm_authenticate): Skipping first 2 bytes. Length is 46, token_id set to 12 and token OTP always 32.
debug: pam_yubico.c:1118 (pam_sm_authenticate): OTP: ccccjflıXXXnclckncnkkvırffddttbccrtugdnjbf ID: ccccjflıXXX

debug: pam_yAUTH-PAM: BACKGROUND: user 'myuser' failed to authenticate: Permission denied
Sun Dec 16 15:57:21 2018 85.107.188.161:50775 PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Dec  7 11:54:08 2018 82.222.241.102:36131 TLS Auth Error: Auth Username/Password verification failed for peer```

[klali]

This is not something I've heard about before. Since it happens over time it sounds like a corruption happening somewhere in your pam stack, could be yubico-pam and it could be something else. What version of yubico-pam are you running?

[ismailyenigul]

hi
I am using yubico-pam 2.26.
It seems I have two different issues.

1. yubikey creates a token with Turkish chars. If I use the keyboard with Turkish Q input source.
   It generates "ı" instead of "i". It works when I change to US keyboard.

2. We still get login failures error around every week. Not only me, but every VPN users can't login until I restart openvpn service.

[klali]

1. yubikey creates a token with Turkish chars. If I use the keyboard with Turkish Q input source.
   It generates "ı" instead of "i". It works when I change to US keyboard.

Yes, this happens with the turkish layout, we have some documentation around how to deal with that using yubikey-personalization at https://developers.yubico.com/yubikey-personalization/Manuals/ykpersonalize.1.html (see the note about the scanmap feature).

2. We still get login failures error around every week. Not only me, but every VPN users can't login until I restart openvpn service.

Can you share a debug log of when this happens?

[ismailyenigul]

Sure. I will share when it happens again.
Thanks

[ismailyenigul]

Hi @klali

I am reading https://developers.yubico.com/yubikey-personalization/Manuals/ykpersonalize.1.html but could not figure out what I should to have i instead of ı in yubikey tokens for Turkish layout.

[klali]

If you have a reasonably recent YubiKey (newer than 2), you can run:

$ ykpersonalize -S06050708090a0b340d0e0f111517181986858788898a8b8c8d8e8f9195979899271e1f202122232425269e2b28

[ismailyenigul]

Thanks @klali it helped a lot.

[ismailyenigul]

btw, this site https://www.yubico.com/products/services-software/download/yubikey-personalization-tools/ recommends to use Yubikey Manager but it seems it does not ship with ykpersonalize