Page 1 of 1

FIDO2 Doesn't show FIDO2-Screen

Posted: Thu Jan 21, 2021 1:41 pm
by Wxll
Using viscosity client: 1.9.1b3

Ubuntu 20.0.4
OpenVPN server: OpenVPN 2.4.9 x86_64-pc-linux-gnu built on Apr 20 2020
openvpn-fido2-plugin
from: ppa:sparklabs/ppa

First got the OpenVPN running with regular pam:
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so login
That worked fine with client1

Following the steps from the manual:
https://www.sparklabs.com/support/kb/ar ... viscosity/

server.conf
log debug.log
proto udp
ifconfig-pool-persist ipp.txt
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status.log
verb 5
mute 10
ca ca.crt
cert server.crt
key server.key
dh dh.pem
port 1194
dev tun0
server 10.8.0.0 255.255.255.0
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
push "redirect-gateway def1"

#FIDO2 and PAM plugin
plugin /usr/share/openvpn/pam-fido2/auth-pam-fido2.so login
# I did set my own hostname below instead of myvpn.mydomain.com
setenv fido2_origin myvpn.mydomain.com
setenv fido2_name "Intranet VPN Server"

#Uncomment the below if you wish to change the path for the script
# setenv fido2_script_path /usr/share/openvpn/pam-fido2/auth-fido2.py

#Auth-gen-token for renegotiation without needing to use token
auth-gen-token
When connecting, there is no U2F popup but actually a username/password popup.
I'm using the credentials again of client1
then after filling in the username/password I get a new popup which looks like the picture attached.

OpenVPN log file shows at one point:
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: client1
AUTH-PAM: BACKGROUND: SCRIPT_PATH: /usr/share/openvpn/pam-fido2/auth-fido2.py

AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: user 'client1' failed to authenticate: Authentication failure

Any hints? or is it just to bleeding edge right now and I need to be patient for the next beta :-)

Many thanks in advance,
Wessel

Re: FIDO2 Doesn't show FIDO2-Screen

Posted: Thu Jan 21, 2021 8:29 pm
by Eric
Hi Wessel,

This feature is not in Viscosity yet, the following notice is at the top of the linked article:
Code: Select all
NOTICE: This is currently a beta feature and is not available in release yet. Please check our beta versions for upcoming support, expected to release in version 1.9.2.
This feature is currently not in the 1.9.1 betas. We did have an early iteration of the feature in the 1.9 Betas, however we had to pull the feature out due to needing to focus on other issues that presented themselves at the time like Apple Silicon's release. We're hoping to revisit FIDO2 in 1.9.2 however it could be delayed again, please keep an eye on Beta releases if you're interested in trying FIDO2 in the future, FIDO2 support will be clearly displayed in the release notes when it's available - https://sparklabs.com/support/kb/articl ... -versions/

Regards,
Eric

Re: FIDO2 Doesn't show FIDO2-Screen

Posted: Wed Jan 27, 2021 8:48 am
by Wxll
Thanks! Certainly will do :-)

Re: FIDO2 Doesn't show FIDO2-Screen

Posted: Wed May 19, 2021 8:30 pm
by Wxll
Any news on the FIDO2 ?
The old articles are no longer there :-/ hope this doesnt mean it's no longer a feature :-:

The main advantage of FIDO2 is you can force the use of a pin or finger print on the token-device something very useful imho :-)

Wessel

Re: FIDO2 Doesn't show FIDO2-Screen

Posted: Thu May 20, 2021 10:05 am
by Eric
Hi Wessel,

We'll be adding FIDO2 support when we add OpenVPN 2.5, I'm afraid we don't have a hard timeline for that at the moment though.

Regards,
Eric

Re: FIDO2 Doesn't show FIDO2-Screen

Posted: Thu May 27, 2021 7:34 pm
by Wxll
Ah! that's good news :) Thank you for the update!