Page 1 of 1

Yubico U2F with Ubuntu

Posted: Sat Sep 15, 2018 2:52 am
by xredfox0
I've followed this guild https://www.sparklabs.com/support/kb/ar ... viscosity/

I've followed this guild for the Yubico key https://www.sparklabs.com/support/kb/ar ... viscosity/

I can connect to my server when I finished the openvpn server with Ubunut and Viscosity but after I have finished the yubico guild i encountered this problem.

The problem I am facing is after connecting, It would ask me for a username and password. I type in the a username and password and the yubikey U2F Authentication window pops up. after plugging the usb in and clicking the button. It tries to connect. It stays on "connecting" status. If i disconnect and reconnect with the same username and password, it gives me an authentication error, saying my username or password is wrong.

Looking into the log file, I can see it tries to authenticate after pressing the button on the youbikey but fails also I cannot find where the users are being created and stored. I thought it would be in /etc/yubico/u2fval/u2fval.db. I made a back up of that file and deleted it but I would still get an error.

Any ideas would be helpful!

I am currently running on Ubuntu 16.04.5, pip 18.0 and Python 2.8,

Re: Yubico U2F with Ubuntu

Posted: Mon Sep 17, 2018 11:27 am
by Eric
Hi xredfox0,

Copies of your logs on both the server and client side would be extremely helpful. What you are describing sounds like OpenVPN wasn't patched as instructed at the start of the guide, can you confirm that you patched and recompiled OpenVPN and that this new version is being used?

Regards,
Eric

Re: Yubico U2F with Ubuntu

Posted: Tue Sep 18, 2018 5:35 am
by xredfox0
Hello Eric,

Here are the Versions Openvpn and OpenSSL. As for recompiling it, would that be just a server reset?
OpenVPN 2.4.6 x86_64-pc-linux-gnu
OpenSSL 1.0.2g

This is what is in my log for Openvpn for a user I created.

Mon Sep 17 17:20:46 2018 "Home IP" VERIFY OK: depth=1, C=US, ST=FL, L=Miami, O=Fort-Funston, OU=MyOrganizationalUnit, CN=Fort-Funston CA, name=EasyRSA, emailAddress=[email protected]
Mon Sep 17 17:20:46 2018 "Home IP" VERIFY OK: depth=0, C=US, ST=FL, L=Miami, O=Fort-Funston, OU=MyOrganizationalUnit, CN=client, name=EasyRSA, emailAddress=[email protected]
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_VER=2.4.6
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_PLAT=win
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_PROTO=2
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_NCP=2
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_LZ4=1
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_LZ4v2=1
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_LZO=1
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_COMP_STUB=1
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_COMP_STUBv2=1
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_TCPNL=1
Mon Sep 17 17:20:46 2018 "Home IP" peer info: IV_GUI_VER=Viscosity_1.7.11_1576
Mon Sep 17 17:20:46 2018 "Home IP" TLS: Username/Password authentication deferred for username ‘test’
Mon Sep 17 17:20:46 2018 "Home IP" WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Mon Sep 17 17:20:46 2018 "Home IP" WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Mon Sep 17 17:20:46 2018 "Home IP" Control Channel: TLSv1.2, cipher TLSv1/SSLv3 “Cipher”, 2048 bit RSA
Mon Sep 17 17:20:46 2018 "Home IP" [client] Peer Connection Initiated with [AF_INET]"Home IP"
Mon Sep 17 17:20:47 2018 "Home IP" PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 17 17:20:50 2018 MANAGEMENT: CMD 'client-deny 0 0 "PAM Auth failed"'
Mon Sep 17 17:20:50 2018 MULTI: connection rejected: PAM Auth failed, CLI:[NULL]
Mon Sep 17 17:20:50 2018 MANAGEMENT: CMD 'client-deny 0 0 "U2F Reg Required" "CRV1:U2F:auth:"Key"
Mon Sep 17 17:20:53 2018 "Home IP" PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 17 17:20:53 2018 "Home IP" Delayed exit in 5 seconds
Mon Sep 17 17:20:53 2018 "Home IP" SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
Mon Sep 17 17:20:58 2018 "Home IP" SIGTERM[soft,delayed-exit] received, client-instance exiting

This is for a user being created with Viscosity

Mon Sep 17 17:21:10 2018 "Home IP" TLS: Username/Password authentication deferred for username 'Tests'
Mon Sep 17 17:21:10 2018 "Home IP" WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1542'
Mon Sep 17 17:21:10 2018 "Home IP" WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Mon Sep 17 17:21:10 2018 "Home IP" Control Channel: TLSv1.2, cipher TLSv1/SSLv3 "Key", 2048 bit RSA
Mon Sep 17 17:21:10 2018 "Home IP" [client] Peer Connection Initiated with [AF_INET]"Home IP"
Mon Sep 17 17:21:12 2018 "Home IP" PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 17 17:21:14 2018 MANAGEMENT: CMD 'client-deny 1 0 "PAM Auth failed"'
Mon Sep 17 17:21:14 2018 MULTI: connection rejected: PAM Auth failed, CLI:[NULL]
Mon Sep 17 17:21:14 2018 MANAGEMENT: CMD 'client-deny 1 0 "U2F Reg Required" "CRV1:U2F,R:reg:VGVzdHM=:"Key"
Mon Sep 17 17:21:14 2018 MULTI: connection rejected: U2F Reg Required, CLI:CRV1:U2F,R:reg:VGVzdHM=:”Key”
Mon Sep 17 17:21:17 2018 "Home IP" PUSH: Received control message: 'PUSH_REQUEST'
Mon Sep 17 17:21:17 2018 "Home IP" Delayed exit in 5 seconds
Mon Sep 17 17:21:17 2018 "Home IP" SENT CONTROL [client]: 'AUTH_FAILED,CRV1:U2F,R:reg:VGVzdHM=:”Key”’ (status=1)
Mon Sep 17 17:21:22 2018 "Home IP" SIGTERM[soft,delayed-exit] received, client-instance exiting

Here is the Viscosity log

Sep 17 1:20:32 PM: State changed to Connecting
Sep 17 1:20:32 PM: Viscosity Windows 1.7.11 (1576)
Sep 17 1:20:33 PM: Running on Microsoft Windows 10 Home
Sep 17 1:20:33 PM: Running on .NET Framework Version 4.7.03056.461808
Sep 17 1:20:33 PM: Bringing up interface...
Sep 17 1:20:37 PM: OpenVPN 2.4.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jul 20 2018
Sep 17 1:20:37 PM: library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.09
Sep 17 1:20:46 PM: Checking remote host ""Server DNS"" is reachable...
Sep 17 1:20:46 PM: Server reachable. Connecting to "My IP".
Sep 17 1:20:47 PM: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 17 1:20:48 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]"My IP":1194
Sep 17 1:20:48 PM: UDP link local: (not bound)
Sep 17 1:20:48 PM: UDP link remote: [AF_INET]"My IP":1194
Sep 17 1:20:48 PM: State changed to Authenticating
Sep 17 1:20:48 PM: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sep 17 1:20:48 PM: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Sep 17 1:20:48 PM: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sep 17 1:20:48 PM: [server] Peer Connection Initiated with [AF_INET]"My IP":1194
Sep 17 1:20:49 PM: State changed to Connecting
Sep 17 1:20:54 PM: AUTH: Received control message: AUTH_FAILED
Sep 17 1:20:57 PM: SIGUSR1[soft,auth-failure] received, process restarting
Sep 17 1:20:57 PM: State changed to Connecting
Sep 17 1:20:57 PM: Checking remote host ""Server DNS"" is reachable...
Sep 17 1:20:58 PM: Server reachable. Connecting to "My IP".
Sep 17 1:21:12 PM: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sep 17 1:21:12 PM: TCP/UDP: Preserving recently used remote address: [AF_INET]"My IP":1194
Sep 17 1:21:12 PM: UDP link local: (not bound)
Sep 17 1:21:12 PM: UDP link remote: [AF_INET]"My IP":1194
Sep 17 1:21:12 PM: State changed to Authenticating
Sep 17 1:21:12 PM: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1541'
Sep 17 1:21:12 PM: WARNING: 'comp-lzo' is present in local config but missing in remote config, local='comp-lzo'
Sep 17 1:21:12 PM: [server] Peer Connection Initiated with [AF_INET]"My IP":1194
Sep 17 1:21:13 PM: State changed to Connecting
Sep 17 1:21:18 PM: AUTH: Received control message: AUTH_FAILED,CRV1:U2F,R:reg:VGVzdHM=“Key”
Sep 17 1:21:25 PM: SIGUSR1[soft,auth-failure] received, process restarting
Sep 17 1:21:25 PM: State changed to Connecting

To add a user, would I need to adduser in the ubuntu or does it automatically gets created when entering the information in Viscosity?

I type in the right username and password but it returns as an incorrect username and/or password.

Re: Yubico U2F with Ubuntu

Posted: Wed Sep 19, 2018 11:19 am
by Eric
Hi xredfox0,

This system is using PAM as the basis of user/password authentication, these are the users built into Ubuntu. This means to add a user you will need to use adduser, Viscosity nor this script will create any form of user (as that would be extremely insecure).

The important line as to why this is failing is here:

MANAGEMENT: CMD 'client-deny 0 0 "PAM Auth failed"'

This means PAM Authentication is failing, either because the user you are trying to authenticate as doesn't exist, or the password is incorrect. You shouldn't be receiving a U2F dialog after this failure, this looks like a bug in the python script which we will get fixed shortly.

If this isn't a brand new Ubuntu installation, please try running up a new Ubuntu Virtual Machine to test this first to ensure there are no environmental issues on your existing Ubuntu installation.

Regards,
Eric

Re: Yubico U2F with Ubuntu

Posted: Thu Sep 20, 2018 6:20 am
by xredfox0
Hello Eric,

We are using a brand new Ubuntu installation for Yubikey and we have made a user using adduser but it still stayed at "connecting" status when tying to login from Viscosity. I forgot to mention that PAM did give us an error after updating. To solve the issue I reinstalled PAM and it started to work fine.

I would like to know what is in the /etc/yubico/u2fval/u2fval.db since the usernames I typed in the U2F popup are stored there.

Should I start fresh with a new server?

Re: Yubico U2F with Ubuntu

Posted: Thu Sep 20, 2018 3:15 pm
by Eric
Hi xredfox0,

The u2fval.db is a database which stores U2F values, this includes registrations and challenges. Please take a look at Yubico's documentation for more information - https://developers.yubico.com/U2F/

If the server is displaying it is sending AUTH_FAILED: <CRV/U2F...>, but the client is not receiving it (please check the logs on both sides), then the server is bahaving as if it has not been patched. The patch allows for larger messages to be sent from server to client. Please double check the patch applied successfully and that you are running the patched version of OpenVPN on your server. When the OpenVPN starts up it will display the build date in the log.

Regards,
Eric