OpenVPN authentication requiring Unix account

[syutbai]

Hi,

We ran into this issue after we upgraded our OpenVPN sever OS to Ubuntu 18.04. The OpenVPN client kept reporting "Wrong credentials" even though the credentials were correct and the OTP process succeeded.

We saw in the pam_yubico.log that the process completed successfully; however, OpenVPN reported the following indicating the plugin failed:

AUTH-PAM: BACKGROUND: user 'pek' failed to authenticate: Authentication service cannot retrieve authentication info

PLUGIN_CALL: POST /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1

The root cause turned out to be the /etc/pam.d/openvpn file did not have the "account" section, so the default was being used from /etc/pam.d/common-account (which requires Unix login). We added the account line in the /etc/pam.d/openvpn file and it works now:

account required  pam_yubico.so

When troubleshooting the PAM configuration, I tried to use the following documentation but just got more confused by it: https://developers.yubico.com/yubico-pam/YubiKey_and_OpenVPN_via_PAM.html .

Cheers,
syutbai

[kbabioch]

Not sure if I understand this issue correctly, but what do you want us to do here? Is it about updating the documentation, or should something else be changed? Configuration of the PAM stack can be somewhat tedious, but the general approach is outline in the documentation. The specifics will be different for each distribution (and version thereof) and I don't think that Yubico is willing/able to provide very specific instructions for each distribution and keep it up to date.

[syutbai]

Hi,

First, I must amend my previous comment about 18.04 upgrade since the system stopped working around the same time as the upgrade, I conflated the two events together; but, in reality, there's not likely a cause-effect relationship. I double-checked Ubuntu 16.04 configuration and it looks like /etc/pam.d/common-account is the same as 18.04.

I also double-checked my configs, and as documented in #174 (comment), I had at one point used the account configuration for testing. It was removed later at some point - I don't remember when, but I do remember why: For simplicity, if the PAM configuration works for auth, without account, then I simply do not include account. I had forgotten that I created a unix account for iniital testing the configs and that's how the unix user worked (but worked for it only).

For simplicity, we wanted a minimal PAM configuration. Our server's scope is just OpenVPN authentication via LDAP and Yubikey OTP. For a minimal PAM config, would you agree it be appropriate to recommend the following:

auth    required     pam_yubico.so <parameters: ie, id=2...>
account required pam_yubico.so

If possible, we would like to help improve the docs for the benefit of the community. I opened this ticket primarily because I found it to be the best place to document our findings (and possibly be helpful for someone else).

Cheers,
syutbai