OpenVPN + LDAP + Yubico

[wolf-allywilson]

I can get OpenVPN working with pam_ldap fine. I can also get it working with pam_yubico using a local auth file fine. I can't seem to get it working with pam_yubico and the LDAP settings though.

Here is my /etc/pam.d/openvpn:

auth required pam_yubico.so verbose_otp debug id=16 ldap_uri=ldap://my.ldap.server yubi_attr=pager ldapdn=DC=my,DC=domain ldap_filter=(uid=%u) [ldap_bind_user=cn=My User,ou=people,dc=my,dc=domain] ldap_bind_password=MyPassword
account required pam_yubico.so

I know it performs an LDAP bind and returns a user with the required attribute as I can see it in tcpdump.

I have my openVPN client configured to ask for the OTP using static-challenge, so authentication request is:
Username prompt
LDAP Password prompt
OTP prompt

Looking at the examples I've found online (for SSH for example), it seems I should just use:
Username prompt
LDAP Password + OTP prompt (i.e. type password and put in OTP in the same field)

I've tried that, and get the same issue unfortunately.

Here's the output from my openvpn server log:

Fri Jul 16 08:37:34 2021 us=1298 MULTI: multi_create_instance called
Fri Jul 16 08:37:34 2021 us=1375 Re-using SSL/TLS context
Fri Jul 16 08:37:34 2021 us=1403 LZO compression initializing
Fri Jul 16 08:37:34 2021 us=1541 Control Channel MTU parms [ L:1624 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Fri Jul 16 08:37:34 2021 us=1560 Data Channel MTU parms [ L:1624 D:1450 EF:124 EB:406 ET:0 EL:3 ]
Fri Jul 16 08:37:34 2021 us=1625 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Fri Jul 16 08:37:34 2021 us=1637 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Fri Jul 16 08:37:34 2021 us=1680 TCP connection established with [AF_INET]172.27.202.17:58464
Fri Jul 16 08:37:34 2021 us=1694 TCPv4_SERVER link local: (not bound)
Fri Jul 16 08:37:34 2021 us=1700 TCPv4_SERVER link remote: [AF_INET]172.27.202.17:58464
Fri Jul 16 08:37:34 2021 us=984976 172.27.202.17:58464 TLS: Initial packet from [AF_INET]172.27.202.17:58464, sid=dc3c3bf6 53ba8323
Fri Jul 16 08:37:35 2021 us=202703 172.27.202.17:58464 peer info: IV_VER=2.4.11
Fri Jul 16 08:37:35 2021 us=202765 172.27.202.17:58464 peer info: IV_PLAT=mac
Fri Jul 16 08:37:35 2021 us=202772 172.27.202.17:58464 peer info: IV_PROTO=2
Fri Jul 16 08:37:35 2021 us=202778 172.27.202.17:58464 peer info: IV_NCP=2
Fri Jul 16 08:37:35 2021 us=202783 172.27.202.17:58464 peer info: IV_CIPHERS=AES-256-GCM:AES-128-GCM:AES-256-CBC
Fri Jul 16 08:37:35 2021 us=202787 172.27.202.17:58464 peer info: IV_LZ4=1
Fri Jul 16 08:37:35 2021 us=202791 172.27.202.17:58464 peer info: IV_LZ4v2=1
Fri Jul 16 08:37:35 2021 us=202796 172.27.202.17:58464 peer info: IV_LZO=1
Fri Jul 16 08:37:35 2021 us=202801 172.27.202.17:58464 peer info: IV_COMP_STUB=1
Fri Jul 16 08:37:35 2021 us=202811 172.27.202.17:58464 peer info: IV_COMP_STUBv2=1
Fri Jul 16 08:37:35 2021 us=202816 172.27.202.17:58464 peer info: IV_TCPNL=1
Fri Jul 16 08:37:35 2021 us=202821 172.27.202.17:58464 peer info: IV_GUI_VER="net.tunnelblick.tunnelblick_5671_3.8.5a__build_5671)"
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: myUID
debug: pam_yubico.c:838 (parse_cfg): called.
debug: pam_yubico.c:839 (parse_cfg): flags 0 argc 9
debug: pam_yubico.c:841 (parse_cfg): argv[0]=verbose_otp
debug: pam_yubico.c:841 (parse_cfg): argv[1]=debug
debug: pam_yubico.c:841 (parse_cfg): argv[2]=id=16
debug: pam_yubico.c:841 (parse_cfg): argv[3]=ldap_uri=ldap://my.ldap.server
debug: pam_yubico.c:841 (parse_cfg): argv[4]=yubi_attr=pager
debug: pam_yubico.c:841 (parse_cfg): argv[5]=ldapdn=DC=my,DC=domain
debug: pam_yubico.c:841 (parse_cfg): argv[6]=ldap_filter=(uid=%u)
debug: pam_yubico.c:841 (parse_cfg): argv[7]=ldap_bind_user=cn=My User,ou=people,DC=my,DC=domain
debug: pam_yubico.c:841 (parse_cfg): argv[8]=ldap_bind_password=MyPassword
debug: pam_yubico.c:842 (parse_cfg): id=16
debug: pam_yubico.c:843 (parse_cfg): key=(null)
debug: pam_yubico.c:844 (parse_cfg): debug=1
debug: pam_yubico.c:845 (parse_cfg): debug_file=1
debug: pam_yubico.c:846 (parse_cfg): alwaysok=0
debug: pam_yubico.c:847 (parse_cfg): verbose_otp=1
debug: pam_yubico.c:848 (parse_cfg): try_first_pass=0
debug: pam_yubico.c:849 (parse_cfg): use_first_pass=0
debug: pam_yubico.c:850 (parse_cfg): nullok=0
debug: pam_yubico.c:851 (parse_cfg): authfile=(null)
debug: pam_yubico.c:852 (parse_cfg): ldapserver=(null)
debug: pam_yubico.c:853 (parse_cfg): ldap_uri=ldap://my.ldap.server
debug: pam_yubico.c:854 (parse_cfg): ldap_bind_user=cn=My User,ou=people,DC=my,DC=domain
debug: pam_yubico.c:855 (parse_cfg): ldap_bind_password=MyPassword
debug: pam_yubico.c:856 (parse_cfg): ldap_filter=(uid=%u)
debug: pam_yubico.c:857 (parse_cfg): ldap_cacertfile=(null)
debug: pam_yubico.c:858 (parse_cfg): ldapdn=DC=my,DC=domain
debug: pam_yubico.c:859 (parse_cfg): user_attr=(null)
debug: pam_yubico.c:860 (parse_cfg): yubi_attr=pager
debug: pam_yubico.c:861 (parse_cfg): yubi_attr_prefix=(null)
debug: pam_yubico.c:862 (parse_cfg): url=(null)
debug: pam_yubico.c:863 (parse_cfg): urllist=(null)
debug: pam_yubico.c:864 (parse_cfg): capath=(null)
debug: pam_yubico.c:865 (parse_cfg): cainfo=(null)
debug: pam_yubico.c:866 (parse_cfg): proxy=(null)
debug: pam_yubico.c:867 (parse_cfg): token_id_length=12
debug: pam_yubico.c:868 (parse_cfg): mode=client
debug: pam_yubico.c:869 (parse_cfg): chalresp_path=(null)
debug: pam_yubico.c:899 (pam_sm_authenticate): pam_yubico version: 2.26
debug: pam_yubico.c:914 (pam_sm_authenticate): get user returned: myUID
debug: pam_yubico.c:252 (authorize_user_token_ldap): called
debug: pam_yubico.c:291 (authorize_user_token_ldap): try bind with: cn=My User,ou=people,DC=my,DC=domain:[MyPassword]
debug: pam_yubico.c:322 (authorize_user_token_ldap): LDAP : look up object base='DC=my,DC=domain' filter='(uid=myUID)', ask for attribute 'pager'
debug: pam_yubico.c:360 (authorize_user_token_ldap): LDAP : Found 1 values for pager - checking if any of them match ':(null)'
debug: pam_yubico.c:368 (authorize_user_token_ldap): LDAP : Checking value 1: :zzxxccvvbbnn
debug: pam_yubico.c:1034 (pam_sm_authenticate): Tokens found for user
debug: pam_yubico.c:1096 (pam_sm_authenticate): conv returned 7 bytes
debug: pam_yubico.c:1111 (pam_sm_authenticate): Skipping first 0 bytes. Length is 7, token_id set to 12 and token OTP always 32.
debug: pam_yubico.c:1118 (pam_sm_authenticate): OTP: myUID ID: myUID
debug: pam_yubico.c:252 (authorize_user_token_ldap): called
debug: pam_yubico.c:291 (authorize_user_token_ldap): try bind with: cn=My User,ou=people,DC=my,DC=domain:[MyPassword]
debug: pam_yubico.c:322 (authorize_user_token_ldap): LDAP : look up object base='DC=my,DC=domain' filter='(uid=myUID)', ask for attribute 'pager'
debug: pam_yubico.c:360 (authorize_user_token_ldap): LDAP : Found 1 values for pager - checking if any of them match ':myUID'
debug: pam_yubico.c:368 (authorize_user_token_ldap): LDAP : Checking value 1: :zzxxccvvbbnn
debug: pam_yubico.c:1180 (pam_sm_authenticate): Unauthorized token for this user
debug: pam_yubico.c:1220 (pam_sm_authenticate): done. [Authentication failure]
debug: pam_yubico.c:838 (parse_cfg): called.
debug: pam_yubico.c:83AUTH-PAM: BACKGROUND: my_conv[0] query='YubiKey for `myUID': ' style=2
AUTH-PAM: BACKGROUND: user 'myUID' failed to authenticate: Authentication failure
Fri Jul 16 08:37:35 2021 us=216105 172.27.202.17:58464 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Jul 16 08:37:35 2021 us=216133 172.27.202.17:58464 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Fri Jul 16 08:37:35 2021 us=216180 172.27.202.17:58464 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Jul 16 08:37:35 2021 us=240859 172.27.202.17:58464 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384
Fri Jul 16 08:37:35 2021 us=240923 172.27.202.17:58464 Peer Connection Initiated with [AF_INET]172.27.202.17:58464
Fri Jul 16 08:37:36 2021 us=444737 172.27.202.17:58464 PUSH: Received control message: 'PUSH_REQUEST'
Fri Jul 16 08:37:36 2021 us=444792 172.27.202.17:58464 Delayed exit in 5 seconds
Fri Jul 16 08:37:36 2021 us=444803 172.27.202.17:58464 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Fri Jul 16 08:37:36 2021 us=499874 172.27.202.17:58464 Connection reset, restarting [0]
Fri Jul 16 08:37:36 2021 us=499940 172.27.202.17:58464 SIGUSR1[soft,connection-reset] received, client-instance restarting
Fri Jul 16 08:37:36 2021 us=499998 TCP/UDP: Closing socket

I believe the issue is identified here:

debug: pam_yubico.c:1118 (pam_sm_authenticate): OTP: myUID ID: myUID

Something is making it use my username as the OTP?

pam_yubico version: 2.26
OS: Amazon Linux 2 (4.14.232-177.418.amzn2.aarch64)
LDAP: OpenLDAP 2.x

[rains31]

i have the same issue

[KeystoneJack]

I have the exact same issue!
Any workaround?

[wolf-allywilson]

I never revisited this unfortunately, so did not find a solution.

[KeystoneJack]

Too bad!
Pinging @klali for help on this since it’s kind of a blocker.