I'm using a two-factor authentication system that integrates with PAM. As a result, the PAM conversations can take anywhere from a few seconds to a minute or longer as PAM waits for the user to acknowledge the token.
I've discovered that OpenVPN locks while the auth is taking place, regardless of the user.
For instance, let's say I have five people connected and a sixth one starts to connect. While the sixth user is in the PAM auth process waiting to acknowledge the token, the remaining users cannot pass traffic. Even the internal management interface hangs... it's just deadlocked.
Has anyone seen this before? I'm running 2.3.2... was this addressed at some point? I can file a bug in Trac but I wanted to toss this out there beforehand.
openvpn-auth-pam.so hangs entire daemon during auth
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 1
- Joined: Fri May 09, 2014 7:38 pm
-
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jun 14, 2017 7:36 am
Re: openvpn-auth-pam.so hangs entire daemon during auth
Hi,
I am like 3 years late to the party, but I have the exact same issue. I can reproduce it easily, and my scenario is the same. Running openvpn 2.3.10
My PAM call for multi factor authentication take a minimum of 10 - 20 seconds, as the user has to react to an application on their mobile phone. When this is going on, openvpn is blocking.
openvpn config for the pam integration:
The script integration:
I am like 3 years late to the party, but I have the exact same issue. I can reproduce it easily, and my scenario is the same. Running openvpn 2.3.10
My PAM call for multi factor authentication take a minimum of 10 - 20 seconds, as the user has to react to an application on their mobile phone. When this is going on, openvpn is blocking.
openvpn config for the pam integration:
Code: Select all
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
Code: Select all
sudo cat /etc/pam.d/openvpn
account required pam_permit.so
auth required pam_exec.so expose_authtok /path/to/my/authentication_script