2014-10-29 17:15:58 +01:00
== Introduction
2014-04-30 11:03:40 +02:00
The purpose of this document is to guide readers through the configuration steps to use two factor authentication for OpenVPN using YubiKey. This document assumes that the reader has advanced knowledge and experience in Linux system administration, particularly for how PAM authentication mechanism is configured on a Linux platform.
2014-10-29 17:15:58 +01:00
== Prerequisites
2014-04-30 11:03:40 +02:00
Successful configuration of the Yubico PAM module to support two factor authentication for OpenVPN has the following prerequisites:
2014-10-29 16:57:27 +01:00
Operating System::
Any Unix operating system which supports
http://www.kernel.org/pub/linux/libs/pam[PAM] (Pluggable Authentication Module)
Complier:: http://gcc.gnu.org[GNU GCC complier]
https://developers.yubico.com/yubico-pam[Yubico PAM Module]:: Version 1.8
http://openvpn.net/index.php/downloads.html[OpenVPN]:: Version 2.0.9.
http://freeradius.org/download.html[FreeRADIUS]: Version 1.1.7 or later.
Pam_Radius:: ftp://ftp.freeradius.org/pub/radius/pam_radius-1.3.17.tar.gz[Version 1.3.17].
2014-04-30 11:03:40 +02:00
2014-10-29 17:15:58 +01:00
== Configuration
2014-04-30 11:03:40 +02:00
There are two ways OpenVPN can be configured to support two factor authentication with YubiKey.
2014-10-29 17:15:58 +01:00
=== OpenVPN Configuration without FreeRADIUS support:
2014-04-30 11:03:40 +02:00
In this mode of configuration, OpenVPN server will be authenticating users
by verifying username and user’ s password against system password file
2014-10-29 16:57:27 +01:00
`/etc/passwd` and verifying OTP (one time password generated from YubiKey)
against Yubico's OTP validation server.
2014-04-30 11:03:40 +02:00
We assume that OpenVPN server is already installed on the server.
2014-10-29 17:15:58 +01:00
==== Configuration of OpenVPN server to support PAM authentication:
2014-04-30 11:03:40 +02:00
2014-10-29 17:00:37 +01:00
* Edit the OpenVPN server configuration file `/etc/openvpn/server.conf`
2014-04-30 11:03:40 +02:00
to add the following three lines to enable PAM modules for username
and password authentication:
2014-10-29 17:24:55 +01:00
plugin <Absolute path of “openvpn-auth-pam.so” file> <PAM configuration file name for OpenVPN
client-cert-not-required
username-as-common-name
2014-04-30 11:03:40 +02:00
2014-10-29 17:06:35 +01:00
(for example: `plugin /usr/lib/openvpn/plugin/lib/openvpn-auth-pam.so openvpn`)
2014-04-30 11:03:40 +02:00
2014-10-29 17:00:37 +01:00
* Edit the OpenVPN client configuration file `/etc/openvpn/client.conf` to
2014-04-30 11:03:40 +02:00
add following line to configure OpenVPN client for prompting username and
password:
2014-10-29 16:10:03 +01:00
auth-user-pass
2014-04-30 11:03:40 +02:00
2014-10-29 17:15:58 +01:00
==== Installation of pam_yubico module:
2014-04-30 11:03:40 +02:00
2014-10-29 16:57:27 +01:00
Build instructions for pam_yubico are available in its README.
2014-04-30 11:03:40 +02:00
2014-10-29 17:15:58 +01:00
==== Configuration of pam_yubico module:
2014-04-30 11:03:40 +02:00
There are two ways of user and YubiKey PublicID (token ID) mapping.
It can be either done at administrative level or at individual user level.
2014-10-29 17:15:58 +01:00
===== Administrative Level
2014-04-30 11:03:40 +02:00
In Administrative level, system administrators hold right to configure
the user and YubiKey PublicID mapping. Administrators can achieve this
by creating a new file that contains information about the username and
the corresponding PublicIDs of YubiKey(s) assigned.
This file contains user name that is allowed to connect to the system
using RADIUS and the PublicID of the YubiKey(s) assigned to that
particular user.
A user can be assigned multiple YubiKeys and this multikey mapping is
supported by this file. However, presently there is no logic coded to
detect or prevent use of same YubiKey ID for multiple users.
Each record in the file should begin on a new line. The parameters in
2014-10-29 17:00:37 +01:00
each record are separated by `:` character similar to `/etc/passwd`.
2014-04-30 11:03:40 +02:00
The contents of this file are as follows:
------
2014-10-29 16:10:03 +01:00
<user name>:<YubiKey PublicID>:<YubiKey PublicID>: ….
<user name>:<YubiKey PublicID >:<YubiKey PublicID>:…..
2014-04-30 11:03:40 +02:00
------
e.g.:
------
2014-10-29 16:10:03 +01:00
paul:indvnvlcbdre:ldvglinuddek
simon:uturrufnjder:hjturefjtehv
kurt:ertbhunjimko
2014-04-30 11:03:40 +02:00
------
The mapping file must be created/updated manually before configuration
of Yubico PAM module for OpenVPN authentication.
2014-10-29 17:15:58 +01:00
====== Configuration of modified pam_yubico.so module at administrative level:
2014-04-30 11:03:40 +02:00
Append the following line to the beginning of /etc/pam.d/radiusd file:
2014-10-29 16:57:27 +01:00
auth required pam_yubico.so id=16 debug authfile=/path/to/mapping/file
2014-04-30 11:03:40 +02:00
After the above configuration changes, whenever a user connects to the
server using any RADIUS client, the PAM authentication interface will
pass the control to Yubico PAM module.
The Yubico PAM module first checks the presence of authfile argument
in PAM configuration. If authfile argument is present, it parses the
corresponding mapping file and verifies the username with corresponding
YubiKey PublicID as configured in the mapping file. If valid, the Yubico
PAM module extracts the OTP string and sends it to the Yubico
authentication server or else it reports failure. If authfile argument
is present but the mapping file is not present at the provided path PAM
module reports failure.
After successful verification of OTP Yubico PAM module from the Yubico
authentication server, a success code is returned.
2014-10-29 17:15:58 +01:00
===== User Level
2014-04-30 11:03:40 +02:00
Although, user level configuration of pam_yubico is possible, this might
not be a desired configuration option in case of OpenVPN daemon in most
enterprise.
2014-10-30 11:11:40 +01:00
====== Configuration of PAM modules for OpenVPN:
2014-04-30 11:03:40 +02:00
To configure PAM modules for OpenVPN, create a file named
2014-10-29 17:00:37 +01:00
`/etc/pam.d/openvpn` (file name must be one which is specified
in `/etc/openvpn/server.conf` along with 'plugin' directive)
2014-04-30 11:03:40 +02:00
and list all the PAM modules in this files accordingly.
2014-10-29 17:15:58 +01:00
==== Test Setup
2014-04-30 11:03:40 +02:00
Our test environment is as follows:
2014-10-29 17:24:55 +01:00
Operating System:: Fedora release 8 (Werewolf)
2014-04-30 11:03:40 +02:00
2014-10-29 17:24:55 +01:00
OpenVPN Server:: OpenVPN Version 2.0.9
2014-04-30 11:03:40 +02:00
2014-10-29 17:24:55 +01:00
Yubico PAM:: pam_yubico Version 1.8
2014-04-30 11:03:40 +02:00
2014-10-29 17:24:55 +01:00
/etc/pam.d/openvpn file::
----
2014-10-29 16:10:03 +01:00
auth required pam_yubico.so authfile=/etc/yubikeyid id=16 debug
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
2014-10-29 17:24:55 +01:00
----
2014-04-30 11:03:40 +02:00
2014-10-29 17:15:58 +01:00
==== Testing the configuration
2014-04-30 11:03:40 +02:00
We have tested the pam_yubico configuration on following Linux sever platforms:
i) Fedora 8:
2014-10-24 15:30:52 +02:00
Operating system: Fedora release 8 (Werewolf),
OpenVPN Server : OpenVPN Version 2.0.9,
Yubico PAM: pam_yubico Version 1.8
2014-04-30 11:03:40 +02:00
ii) Fedora 6:
2014-10-24 15:30:52 +02:00
Operating system: Fedora Core release 6 (Zod),
OpenVPN Server: OpenVPN Version 2.0.9,
Yubico PAM: pam_yubico version 1.8
2014-04-30 11:03:40 +02:00
To test the configuration, first create a couple of test users on the
system where OpenVPN server is running and configure their YubiKey IDs
accordingly.
Please use the following command for testing:
------
2014-10-29 16:57:27 +01:00
[root@testsrv ~]# openvpn /etc/openvpn/client.conf
2014-04-30 11:03:40 +02:00
------
OpenVPN client will first prompt for username, enter the username.
After that OpenVPN client will prompt for password, enter user’ s password
immediately followed by an OTP generated by a YubiKey.
If OpenVPN server is configured for supporting PAM authentication, it
will verify user authentication details even at the startup of OpenVPN
2014-10-29 17:00:37 +01:00
server demon, when it is started using `init.d` script or it is
2014-04-30 11:03:40 +02:00
configured to start at boot time.
To avoid prompting of username and password at the startup of OpenVPN
server demon, we can start OpenVPN Server demon at command line as
2014-10-29 17:00:37 +01:00
follows instead of starting it using `init.d` script:
2014-04-30 11:03:40 +02:00
------
2014-10-29 16:10:03 +01:00
[root@testsrv ~]# /usr/sbin/openvpn --config /etc/openvpn/server.conf --daemon openvpn
2014-04-30 11:03:40 +02:00
------
We can configure OpenVPN server demon to start at boot time by
2014-10-29 17:00:37 +01:00
copying the above command in `/etc/rc.local` file.
2014-04-30 11:03:40 +02:00
2014-10-29 17:15:58 +01:00
=== OpenVPN Configuration with FreeRADIUS support
2014-04-30 11:03:40 +02:00
In this type of configuration, the OpenVPN server will be using
FreeRADIUS server for authenticating users. FreeRADIUS server will
be verifying the authentication information received from OpenVPN
server by verifying the username and user’ s password against system
2014-10-29 17:00:37 +01:00
password file `/etc/passwd` (or by other means supported by FreeRADIUS)
2014-04-30 11:03:40 +02:00
and verifying the OTP (one time password) generated by a YubiKey
with the Yubico’ s OTP validation server.
To configure OpenVPN with FreeRADIUS support, please follow the steps below:
* Follow all the steps mentioned in the section “OpenVPN Configuration without FreeRADIUS support” to configure OpenVPN server to support PAM authentication.
2014-10-29 17:06:35 +01:00
* https://github.com/Yubico/yubico-pam/blob/master/doc/YubiKey_and_FreeRADIUS_via_PAM.adoc[Install and configure FreeRADIUS server for two factor authentication].
2014-04-30 11:03:40 +02:00
* Install and configure pam_radius_auth.so and copy it to /lib/security directory
2014-10-29 17:00:37 +01:00
* Create a file `/etc/pam.d/openvpn` (file name must be the one which is specified
in `/etc/openvpn/server.conf` along with 'plugin' directive) and copy the following
2014-04-30 11:03:40 +02:00
contents to the file:
------
2014-10-29 16:57:27 +01:00
account required pam_radius_auth.so
account required pam_radius_auth.so
auth required pam_radius_auth.so no_warn try_first_pass
2014-04-30 11:03:40 +02:00
------
2014-10-29 17:00:37 +01:00
* Create a file `/etc/raddb/server` to configure FreeRADIUS server that is
2014-10-29 17:06:35 +01:00
used by `pam_radius_auth` PAM module. The content for the file is as follows:
2014-04-30 11:03:40 +02:00
------
2014-10-29 16:10:03 +01:00
<RADIUS server fully qualified domain name/IP Address> <Shared Secret>
2014-04-30 11:03:40 +02:00
2014-10-29 16:10:03 +01:00
<RADIUS server fully qualified domain name/IP Address> <Shared Secret>
.
.
.
2014-04-30 11:03:40 +02:00
------
e.g.:
------
2014-10-29 16:10:03 +01:00
freeradius.example.com Admin456
2014-04-30 11:03:40 +02:00
------
We can configure failover support for RADIUS server by creating additional
2014-10-29 17:24:55 +01:00
RADIUS server entries per line of ´ /etc/raddb/server´ file.
2014-04-30 11:03:40 +02:00
2014-10-29 17:15:58 +01:00
==== Test Setup
2014-04-30 11:03:40 +02:00
Our test environment is as follows:
i) Operating System: Fedora release 8 (Werewolf)
ii) FreeRADIUS Server : FreeRADIUS Version 1.1.7
iii) Pam_Radius: pam_radius_auth 1.3.17
iv) Yubico PAM: pam_yubico Version 1.8
2014-10-29 17:06:35 +01:00
v) `/etc/pam.d/openvpn` file:
2014-04-30 11:03:40 +02:00
------
2014-10-29 16:10:03 +01:00
account required pam_radius_auth.so
account required pam_radius_auth.so
auth required pam_radius_auth.so no_warn try_first_pass
2014-04-30 11:03:40 +02:00
------
2014-10-29 17:15:58 +01:00
==== Testing the configuration
2014-04-30 11:03:40 +02:00
We have tested the pam_yubico configuration on following Linux sever platforms:
2014-10-29 17:24:55 +01:00
===== Fedora 8
Operating system:: Fedora release 8 (Werewolf)
OpenVPN Server:: OpenVPN Version 2.0.9
Yubico PAM:: pam_yubico Version 1.8
FreeRADIUS Server:: FreeRADIUS Server Version 1.1.7
Pam_radius:: pam_radius_auth Version 1.3.17
===== Fedora 6
Operating system:: Fedora Core release 6 (Zod)
OpenVPN Server:: OpenVPN Version 2.0.9
Yubico PAM:: pam_yubico version 1.8
FreeRADIUS Server:: FreeRADIUS Server Version 1.1.7
Pam_radius:: pam_radius_auth Version 1.3.17
2014-04-30 11:03:40 +02:00
To test the configuration, first create a couple of test users
on the system where FreeRADIUS server is running and configure
their YubiKey IDs accordingly.
Please use the following command for testing:
------
2014-10-29 16:10:03 +01:00
[root@varsha ~]# openvpn /etc/openvpn/client.conf
2014-04-30 11:03:40 +02:00
------
OpenVPN client will first prompt for username, enter the username.
After that OpenVPN client will prompt for password, enter user’ s
password immediately followed by an OTP generated by a YubiKey.
2014-10-29 16:10:03 +01:00
NOTE: Please use OpenVPN server Version 2.0.9 (Latest Stable Version), as older and newer beta versions have problems with PAM libraries. RADIUS authentication will fail if it is configured with older or latest beta versions of OpenVPN Server.