FIDO2 Doesn't show FIDO2-Screen

Got a problem with Viscosity or need help? Ask here!

Wxll

Posts: 6
Joined: Thu Dec 12, 2013 9:34 pm

Post by Wxll » Thu Jan 21, 2021 1:41 pm
Using viscosity client: 1.9.1b3

Ubuntu 20.0.4
OpenVPN server: OpenVPN 2.4.9 x86_64-pc-linux-gnu built on Apr 20 2020
openvpn-fido2-plugin
from: ppa:sparklabs/ppa

First got the OpenVPN running with regular pam:
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login
That worked fine with client1

Following the steps from the manual:
https://www.sparklabs.com/support/kb/ar ... viscosity/

server.conf
log debug.log
proto udp
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 5
mute 10
ca ca.crt
cert server.crt
key server.key
dh dh.pem
port 1194
dev tun0
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "redirect-gateway def1"

#FIDO2 and PAM plugin
plugin /usr/share/openvpn/pam-fido2/auth-pam-fido2.so login
# I did set my own hostname below instead of myvpn.mydomain.com
setenv fido2_origin myvpn.mydomain.com
setenv fido2_name "Intranet VPN Server"

#Uncomment the below if you wish to change the path for the script
# setenv fido2_script_path /usr/share/openvpn/pam-fido2/auth-fido2.py

#Auth-gen-token for renegotiation without needing to use token
auth-gen-token
When connecting, there is no U2F popup but actually a username/password popup.
I'm using the credentials again of client1
then after filling in the username/password I get a new popup which looks like the picture attached.

OpenVPN log file shows at one point:
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: client1
AUTH-PAM: BACKGROUND: SCRIPT_PATH: /usr/share/openvpn/pam-fido2/auth-fido2.py

AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: user 'client1' failed to authenticate: Authentication failure

Any hints? or is it just to bleeding edge right now and I need to be patient for the next beta :-)

Many thanks in advance,
Wessel
Attachments
FIDO2.jpg
FIDO2.jpg (22.58 KiB) Viewed 7941 times

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu Jan 21, 2021 8:29 pm
Hi Wessel,

This feature is not in Viscosity yet, the following notice is at the top of the linked article:
Code: Select all
NOTICE: This is currently a beta feature and is not available in release yet. Please check our beta versions for upcoming support, expected to release in version 1.9.2.
This feature is currently not in the 1.9.1 betas. We did have an early iteration of the feature in the 1.9 Betas, however we had to pull the feature out due to needing to focus on other issues that presented themselves at the time like Apple Silicon's release. We're hoping to revisit FIDO2 in 1.9.2 however it could be delayed again, please keep an eye on Beta releases if you're interested in trying FIDO2 in the future, FIDO2 support will be clearly displayed in the release notes when it's available - https://sparklabs.com/support/kb/articl ... -versions/

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

Wxll

Posts: 6
Joined: Thu Dec 12, 2013 9:34 pm

Post by Wxll » Wed Jan 27, 2021 8:48 am
Thanks! Certainly will do :-)

Wxll

Posts: 6
Joined: Thu Dec 12, 2013 9:34 pm

Post by Wxll » Wed May 19, 2021 8:30 pm
Any news on the FIDO2 ?
The old articles are no longer there :-/ hope this doesnt mean it's no longer a feature :-:

The main advantage of FIDO2 is you can force the use of a pin or finger print on the token-device something very useful imho :-)

Wessel

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu May 20, 2021 10:05 am
Hi Wessel,

We'll be adding FIDO2 support when we add OpenVPN 2.5, I'm afraid we don't have a hard timeline for that at the moment though.

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

Wxll

Posts: 6
Joined: Thu Dec 12, 2013 9:34 pm

Post by Wxll » Thu May 27, 2021 7:34 pm
Ah! that's good news :) Thank you for the update!
6 posts Page 1 of 1