SOLVED:
Always double check the API key. For whatever reason the double click to select all stopped before the last character, possibly due to being = … fixed now!
I enabled Yubikey support today (following the guide on the Pritunl guides page, creating the API key with Yubico) with the idea of using it for our administrator logins. I setup a new administrator user, entered a password and then insert my YubiKey and in the field for YubiKey ID touched the key as directed. The ID field was filled, however when trying to login to this user account it fails and the server log has the following:
[2023-01-26 16:00:15,478][ERROR] Exception on /auth/session [POST]
Traceback (most recent call last):
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 2073, in wsgi_app
response = self.full_dispatch_request()
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1518, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1516, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/lib/pritunl/lib/python3.8/site-packages/flask/app.py", line 1502, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args)
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/auth/app.py", line 26, in _wrapped
return call(*args, **kwargs)
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/handlers/auth.py", line 388, in auth_session_post
if not admin.auth_check(password, otp_code, yubico_key, remote_addr):
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/auth/administrator.py", line 179, in auth_check
valid, public_id = sso.auth_yubico(yubico_key)
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/sso/yubico.py", line 22, in auth_yubico
client = yubico_client.Yubico(
File "/usr/lib/pritunl/lib/python3.8/site-packages/yubico_client/yubico.py", line 100, in __init__
key = base64.b64decode(key.encode('ascii'))
File "/usr/lib/python3.8/base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
The ID is captured properly on the administrators setup page per the OTP explained document from Yubikey, and I can confirm the output also falls in line with what is expected in that document.
https://developers.yubico.com/OTP/OTPs_Explained.html
Edit: Adding to this, setting the Yubikey as my auth method for VPN access, downloading the updated profile and trying to connect results in a similar error.
[2023-01-26 16:34:58,700][ERROR] Exception in user authorize
Traceback (most recent call last):
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/authorizer/authorizer.py", line 163, in _check_call
func()
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/authorizer/authorizer.py", line 922, in _check_password
valid, yubico_id = sso.auth_yubico(yubikey)
File "/usr/lib/pritunl/lib/python3.8/site-packages/pritunl/sso/yubico.py", line 22, in auth_yubico
client = yubico_client.Yubico(
File "/usr/lib/pritunl/lib/python3.8/site-packages/yubico_client/yubico.py", line 100, in __init__
key = base64.b64decode(key.encode('ascii'))
File "/usr/lib/python3.8/base64.py", line 87, in b64decode
return binascii.a2b_base64(s)
binascii.Error: Incorrect padding
Thank you!