Does auth also work with only a yubikey? (static-challenge)

Got a problem with Viscosity or need help? Ask here!


Posts: 2
Joined: Wed Dec 12, 2018 10:53 am

Post by ludwig.gramberg » Wed Dec 12, 2018 11:04 am

I recently tried to implement this: ... viscosity/

What I found obsolete is to send a username and password for PAM to authenticate before authenticating via yubico.
So I removed the PAM part and I am only authenticating via yubico.
In my opinion a certificate + yubikey is still 2fa.

However Viscosity does not seam to allow to just ask for the 2fa-challenge of the yubikey without activating the username/password option.
The yubikey already contains a unique ID in the 12 first characters of its response which for me is enough to identify a user.

So is it possible to just query for the static-challenge? Or do I always have to go through username/password?
Currently I can just fill anything in the username field and it works, as long as the yubikey challenge is correct.



User avatar
Posts: 960
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Wed Dec 12, 2018 12:38 pm
Hi Ludwig,

I'm afraid OpenVPN itself does not support challenge-only authentication, username and password is required.

Challenge-only is something on our todo list, however I'm afraid it is a very low priority as most organisations who would use 2FA use it to authenticate against more systems than just OpenVPN, usually with LDAP as the back end, PAM is just provided in our examples as it's easy to outline an example with. I'm afraid this makes OTP only a bit of a niche implementation.

The cleanest way to implement this would be to either set a hardcoded username/password in our example script (or just ignore the username/password sent) and strip out the PAM authentication, and then save this username and password in Viscosity so it is not prompted for. This would mean you would be prompted for just the OTP when you connect.

I will make a reply to your git pull as well.

Eric Thorpe
Viscosity Developer

2 posts Page 1 of 1