Unable to authenticate

[abrkn]

I'm trying to harden an OpenVPN installation by adding yubikey otp. Clients currently authenticate using client certificates. I'd like to require yubikey otp on top of that, in case someone's computer is stolen. When turning on the plugin and connecting, I experience this error (openvpn log):

AUTH-PAM: BACKGROUND: USER: <myusername>
AUTH-PAM: BACKGROUND: my_conv[0] query='YubiKey for `<myusername>': ' style=1
AUTH-PAM: BACKGROUND: user '<myusername>' failed to authenticate: Permission denied
Wed Jan 20 23:29:11 2016 us=911903 <myexternalip>:58390 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Jan 20 23:29:11 2016 us=912211 <myexternalip>:58390 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
Wed Jan 20 23:29:11 2016 us=912548 <myexternalip>:58390 TLS Auth Error: Auth Username/Password verification failed for peer
WWWRRRWed Jan 20 23:29:11 2016 us=945658 <myexternalip>:58390 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Wed Jan 20 23:29:11 2016 us=946009 <myexternalip>:58390 Peer Connection Initiated with [AF_INET]<myexternalip>:58390
RWed Jan 20 23:29:13 2016 us=979157 <myexternalip>:58390 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jan 20 23:29:13 2016 us=979184 <myexternalip>:58390 Delayed exit in 5 seconds
Wed Jan 20 23:29:13 2016 us=979197 <myexternalip>:58390 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
WWWWed Jan 20 23:29:18 2016 us=64583 <myexternalip>:58390 SIGTERM[soft,delayed-exit] received, client-instance exiting

Plugin log:

[pam_yubico.c:parse_cfg(749)] called.
[pam_yubico.c:parse_cfg(750)] flags 0 argc 4
[pam_yubico.c:parse_cfg(752)] argv[0]=authfile=/etc/yubikeyid
[pam_yubico.c:parse_cfg(752)] argv[1]=id=<my id>
[pam_yubico.c:parse_cfg(752)] argv[2]=<my generated key>
[pam_yubico.c:parse_cfg(752)] argv[3]=debug
[pam_yubico.c:parse_cfg(753)] id=<my id>
[pam_yubico.c:parse_cfg(754)] key=<my generated key>
[pam_yubico.c:parse_cfg(755)] debug=1
[pam_yubico.c:parse_cfg(756)] alwaysok=0
[pam_yubico.c:parse_cfg(757)] verbose_otp=0
[pam_yubico.c:parse_cfg(758)] try_first_pass=0
[pam_yubico.c:parse_cfg(759)] use_first_pass=0
[pam_yubico.c:parse_cfg(760)] authfile=/etc/yubikeyid
[pam_yubico.c:parse_cfg(761)] ldapserver=(null)
[pam_yubico.c:parse_cfg(762)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(763)] ldap_bind_user=(null)
[pam_yubico.c:parse_cfg(764)] ldap_bind_password=(null)
[pam_yubico.c:parse_cfg(765)] ldap_filter=(null)
[pam_yubico.c:parse_cfg(766)] ldap_cacertfile=(null)
[pam_yubico.c:parse_cfg(767)] ldapdn=(null)
[pam_yubico.c:parse_cfg(768)] user_attr=(null)
[pam_yubico.c:parse_cfg(769)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(770)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(771)] url=(null)
[pam_yubico.c:parse_cfg(772)] urllist=(null)
[pam_yubico.c:parse_cfg(773)] capath=(null)
[pam_yubico.c:parse_cfg(774)] cainfo=(null)
[pam_yubico.c:parse_cfg(775)] token_id_length=12
[pam_yubico.c:parse_cfg(776)] mode=client
[pam_yubico.c:parse_cfg(777)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(808)] pam_yubico version: 2.20
[pam_yubico.c:pam_sm_authenticate(823)] get user returned: <myusername>
[pam_yubico.c:pam_sm_authenticate(971)] conv returned 44 bytes
[pam_yubico.c:pam_sm_authenticate(989)] Skipping first 0 bytes. Length is 44, token_id set to 12 and token OTP always 32.
[pam_yubico.c:pam_sm_authenticate(996)] OTP: <the whole otp> ID: <my public id>
pam_yubico.c:pam_sm_authenticate(1026)] ykclient return value (0): Success
[pam_yubico.c:pam_sm_authenticate(1027)] ykclient url used: https://api2.yubico.com/wsapi/2.0/verify?id=<my id>&nonce=***&otp=<the whole otp>&timestamp=1&h=***%3D
[pam_yubico.c:authorize_user_token(153)] Using system-wide auth_file /etc/yubikeyid
[util.c:check_user_token(151)] Authorization line: <myusername>:<my public id>
[util.c:check_user_token(156)] Matched user: <myusername>
[util.c:check_user_token(162)] Authorization token: <my public id>
[util.c:check_user_token(166)] Match user/token as <myusername>/<my public id>
[pam_yubico.c:pam_sm_authenticate(1095)] done. [Success]

/etc/pam.d/openvpn:

auth required pam_yubico.so authfile=/etc/yubikeyid id=<my id> key=<my generated key> debug

/etc/openvpn/udp-otp.conf:

plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

[Manouchehri]

I'm experiencing this exact same error with 2.20 on Ubuntu 16.04. It's infuriating to see [pam_yubico.c:pam_sm_authenticate(1095)] done. [Success] and then have PAM deny the login with no useful debugging output. I feel like I'm running Windows again.

/etc/pam.d/common-auth

#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.

# here are the per-package modules (the "Primary" block)
# auth  [success=1 default=ignore]  pam_unix.so nullok_secure
auth    include             yubikey
# here's the fallback if no module succeeds
auth    requisite           pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required            pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

/etc/pam.d/yubikey

auth required pam_yubico.so authfile=/etc/yubikey_mappings id=<my id> key=<my generated key> debug

[Manouchehri]

I figured it out, it turns the docs are wrong for Ubuntu 16.04. (I don't know what exactly changed, and frankly I don't care since it's working.)

auth [success=1 default=ignore] pam_yubico.so authfile=/etc/yubikey_mappings id=<my id> key=<my generated key>

[ctodd]

@Manouchehri can you share what you changed so others know how to fix the problem you ran into?

[Manouchehri]

It's been over two years since I had this problem and I honestly don't remember it, but I'd assume editing /etc/pam.d/yubikey with the content I wrote in https://github.com/Yubico/yubico-pam/issues/86#issuecomment-209221647 was the fix.

[rmldsky]

@ctodd did it work for you what @Manouchehri did in comment above?

[ctodd]

@rmldsky my issue was different and was related to changes in OpenVPN, the Viscosity VPN client, and a necessary upgrade to 2.4. There is also an additional configuration option auth-gen-token required to enable token based re-authentication (i.e. the Yubikey OTP expires before the re-authentication which occurs ever hour when the TLS keys are renegotiated.

https://www.sparklabs.com/support/kb/article/advanced-configuration-commands/

Hope this helps.