Posted by & filed under AWS/Linux/Unix/Devops stuff.

The instructions provided by Yubico for integrating two-factor auth with OpenVPN lack a PAM configuration for Debian based systems. The following configuration file (/etc/pam.d/openvpn) worked for me:

auth required pam_yubico.so authfile=/path/to/yubikeys id=22010 debug
auth required pam_unix.so try_first_pass debug shadow nodelay
account required pam_unix.so