raczylo.com blog ~ #

OpenVPN with YubiKey and Google Authenticator

Created on 2014-11-20 in categories ops , tutorial , howto
Tagged as: linux , ubuntu , openvpn , yubikey , google authenticator

Make your OpenVPN server work with YubiKey and Google Authenticator in the same time.

Long story semi-short

Multiple vpn users, different hardware and looking two factor authentication solution? I have bad news for you… Let’s say you have 200 users, most of them non-tech. Distributing yubikeys should be the easiest solution ever. Hardware two factor auth makes it idiot-proof and with proper step-by-step solution even easier for end user to use on daily basis. If some of them would ask you to enable a VPN solution on their iPads or iPhones - you’re entering mordor with two or actually three choices. Getting them and iPad camera connection kit like “old one” or lightning to allow them simply plug their yubikeys in ( Disadvantage alert: They need to carry this around and they’ll pretty often just forget or lose them ).

Switching to different two-factor authenticator provider, like google authenticator - but what are you going to do with all those yubikeys worth $20 each?

Enabling second 2-factor authentication method and letting your server automatically pick one of those.

Despite my best efforts I couldn’t find any tutorials of connecting those two solutions. I’ve assumed you have clean Ubuntu 12.04 installation with openvpn server running, feel free to skip parts which you consider obsolete. TIP: Don’t install packages available in dist repos.

They can produce a lot of frustration, specially when your ‘forward_pass’ for google auth won’t work.

Preparation

To get ready for manual compilation install following:

apt-get install git autoconf automake libtool pkg-config libcurl4-openssl-dev help2man libpam-dev libusb-1.0-0-dev

YubiCo pam module installation

No-brainer here. Just copy, paste and wait

wget http://opensource.yubico.com/yubico-c-client/releases/ykclient-2.12.tar.gz
tar -zxf ykclient-2.12.tar.gz
cd ykclient-2.12
./configure
make
make install

cd ..
git clone git://github.com/Yubico/yubico-c.git
cd yubico-c
autoreconf --install
./configure
make
make install

cd ..
git clone git://github.com/Yubico/yubikey-personalization.git
cd yubikey-personalization
autoreconf --install
./configure
make
make install

cd ..
git clone git@github.com:Yubico/yubico-pam.git yubico-pam
cd yubico-pam/
autoreconf --install
./configure
make
make install

GoogleAuthenticator module installation

Luckily google makes our lifes easier at this stage. Whole compilation and installation process is actually a single command

cd ~
wget https://google-authenticator.googlecode.com/files/libpam-google-authenticator-1.0-source.tar.bz2
bzip2 -d libpam-google-authenticator-1.0-source.tar.bz2
tar -xf libpam-google-authenticator-1.0-source.tar
cd libpam-google-authenticator-1.0/
make install

Making both cooperate

Edit ( or even better - replace ) file /etc/pam.d/openvpn with following content

auth [success=1 default=ignore] pam_yubico.so authfile=/etc/yubikey_mappings id=16 debug
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
account required pam_permit.so

What’s in the pam file content?

OpenVPN will try authentication with password+yubikey, if succeed - it will skip following requirement of using google authenticator. Using password+google_authenticator in case of yubikey check has failed. Comparing password ( stripped from yubikey or google authenticator string ). Checking if user is even permitted to log in. Now restart / reload your openvpn server and you’re ready. More readings can be find on projects websites / repos yubikey and google authenticator.

* Table of contents *

* Check other posts *

* Categories *

aws(1) cloud(2) dev(2) gems(1) howto(3) mac(1) ops(7) projects(2) script(1) tools(1) tutorial(4)

* Tags *

api(1) apple(2) aws(3) bash(1) cloud(4) cluster(1) ec2(1) elasticsearch(1) gem(1) github(1) google-authenticator(1) google-cloud(1) iptables(1) linux(2) logging(1) mac(2) opensource(1) openvpn(1) osx(2) pci-compliance(1) ruby(2) security(2) ssh(1) ubuntu(1) wykop(1) yubikey(1)
comments powered by Disqus