Page 1 of 1

--auth-user-pass-verify is external command under chroot

Posted: Tue Dec 27, 2016 6:05 am
by cd_open_vpn
Hellow !!!

I am trying to chroot my openvpn server. My server uses --auth-user-pass-verify to username/password of clients via-file. Below is the config file of server

############################################################
# Basic VPN Settings
############################################################
local 10.1.1.98
port 443
proto tcp-server
dev tun
server 192.168.5.128 255.255.255.128

############################################################
#Certificate and keys n Security Perameters
############################################################
ca client-ca.crt
cert IGW.crt
key IGW.key
dh dh2048.pem
crl-verify crl.pem
tls-auth ta.key 0

cipher AES-256-CBC
auth SHA512

max-clients 12
persist-key
persist-tun
keepalive 10 60

push "route 192.168.5.0 255.255.255.128"
#push "redirect-gateway def1"

topology subnet
user nobody
group nobody
#########################################################
# Username Password Authentication Binded with certificate
#########################################################

script-security 2
--auth-user-pass-verify auth_user_pass.sh via-file

#########################################################
# Daemon mode, Logging and Status
#########################################################
verb 3
# verb 5 6 11
chroot /etc/openvpn/jail
daemon
log-append /var/log/openvpn.log
status /var/log/openvpn.status
#########################################################

All the certificates, keys & config file are located in /etc/openvpn. Jail folder contains crl.pem & tmp. The script for --auth-user-pass-verify has been places both in /etc/openvpn & /etc/openvpn/jail . When I use the following comman

#openvpn --config /etc/openvepn/server.conf start

I could see that the server is starting without any trouble. Log file entry is below

Tue Dec 27 11:53:47 2016 us=114888 /usr/sbin/ip link set dev tun0 up mtu 1500
Tue Dec 27 11:53:47 2016 us=120828 /usr/sbin/ip addr add dev tun0 192.168.5.129/25 broadcast 192.168.5.255
Tue Dec 27 11:53:47 2016 us=130787 Data Channel MTU parms [ L:1603 D:1450 EF:103 EB:12 ET:0 EL:3 ]
Tue Dec 27 06:23:47 2016 us=131362 chroot to '/etc/openvpn/' and cd to '/' succeeded
Tue Dec 27 06:23:47 2016 us=131385 GID set to nobody
Tue Dec 27 06:23:47 2016 us=131397 UID set to nobody
Tue Dec 27 06:23:47 2016 us=131412 Listening for incoming TCP connection on [AF_INET]10.1.1.98:443
Tue Dec 27 06:23:47 2016 us=131428 TCPv4_SERVER link local (bound): [AF_INET]10.1.1.98:443
Tue Dec 27 06:23:47 2016 us=131436 TCPv4_SERVER link remote: [undef]
Tue Dec 27 06:23:47 2016 us=131449 MULTI: multi_init called, r=256 v=256
Tue Dec 27 06:23:47 2016 us=131476 IFCONFIG POOL: base=192.168.5.130 size=124, ipv6=0
Tue Dec 27 06:23:47 2016 us=131489 MULTI: TCP INIT maxclients=12 maxevents=16
Tue Dec 27 06:23:47 2016 us=131514 Initialization Sequence Completed

But when I try to connect using a client to the server, I am seeing the following error in server log

Tue Dec 27 06:23:49 2016 us=423064 10.1.1.180:1415 CRL CHECK OK: C=IN, ST=TN, L=KP, O=IGR, OU=DE, CN=CA-Client, name=CA-Client
Tue Dec 27 06:23:49 2016 us=423108 10.1.1.180:1415 VERIFY OK: depth=1, C=IN, ST=TN, L=KP, O=IGR, OU=DE, CN=CA-Client, name=CA-Client
Tue Dec 27 06:23:49 2016 us=423331 10.1.1.180:1415 CRL CHECK OK: C=IN, ST=TN, L=KP, O=IGR, OU=DE, CN=Test_Jail, name=pk, emailAddress=prasanth@igr.gin
Tue Dec 27 06:23:49 2016 us=423351 10.1.1.180:1415 VERIFY OK: depth=0, C=IN, ST=TN, L=KP, O=IGR, OU=DE, CN=Test_Jail, name=pk, emailAddress=prasanth@igr.gin
Tue Dec 27 06:23:49 2016 us=637471 10.1.1.180:1415 WARNING: Failed running command (--auth-user-pass-verify): could not execute external program
Tue Dec 27 06:23:49 2016 us=637514 10.1.1.180:1415 TLS Auth Error: Auth Username/Password verification failed for peer

Right now I am clueless ... any help is appreciated.

Re: --auth-user-pass-verify is external command under chroot

Posted: Tue Dec 27, 2016 11:13 am
by TinCanTech
Have you set the execute bit on the script file ?

Re: --auth-user-pass-verify is external command under chroot

Posted: Tue Dec 27, 2016 11:35 am
by cd_open_vpn
TinCanTech wrote:Have you set the execute bit on the script file ?
Yes !!! the script is working without any problem if chroot option is disabled

Re: --auth-user-pass-verify is external command under chroot

Posted: Tue Dec 27, 2016 8:56 pm
by TinCanTech
cd_open_vpn wrote:I could see that the server is starting without any trouble. Log file entry is below

Tue Dec 27 06:23:47 2016 us=131362 chroot to '/etc/openvpn/' and cd to '/' succeeded
You understand what that means ?

Re: --auth-user-pass-verify is external command under chroot

Posted: Tue Dec 27, 2016 9:29 pm
by dazo
First of all ... /etc/openvpn is not a proper place to chroot into. Normally you should chroot into a directory you've created, most commonly a subdirectory under /var/lib, /var/run, /srv or somewhere where your distribution/OS prefers this to happen. Some distros even have /chroot.

Secondly, this behaviour is expected. When you use --auth-user-pass-verify, it will spawn a shell or a process. This script (and shell) or the binary executable which OpenVPN will start must be found inside the chroot. So, if you use

Code: Select all

--chroot /var/lib/openvpn --auth-user-pass-verify /bin/authenticate-user.sh
Then the authenticate-user.sh must be located under /var/lib/openvpn/bin. But! All the library dependencies your shell/binary executable depends on must also be found inside the chroot. So for bash, that will require at least these files:

Code: Select all

$ ldd $(which bash)
	linux-vdso.so.1 =>  (0x00007fffa07ed000)
	libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f95ed42e000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f95ed22a000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f95ece68000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f95ed67a000)
So you need /var/lib/openvpn/lib64 and it must contain a copy of /lib64/libtinfo.so.5, /lib64/libdl.so.2, /lib64/libc.so.6 and /lib64/ld-linux-x86-64.so.2. By the way, what you will need, will probably differ unless you use the same distribution as I do. But ... also this is often not enough, as you may need to have ldconfig inside the chroot, including /etc/ld.so.conf ... and you probably need to execute ldconfig inside the chroot to have everything setup for the dynamic shared object loader. And then your authentication script might work.

As you see, this gets quickly fairly complicated. And don't get me started on needed dependencies if you use a Perl or Python script. Which is also why it is recommended to use --plugin instead when wanting --chroot. When using --plugin, it is loaded (including all it's shared object dependencies) before the chroot() happens, so everything needed will be in memory during the lifetime of the OpenVPN process.

Re: --auth-user-pass-verify is external command under chroot

Posted: Wed Dec 28, 2016 3:18 am
by cd_open_vpn
dazo wrote:First of all ... /etc/openvpn is not a proper place to chroot into. Normally you should chroot into a directory you've created, most commonly a subdirectory under /var/lib, /var/run, /srv or somewhere where your distribution/OS prefers this to happen. Some distros even have /chroot.

Secondly, this behaviour is expected. When you use --auth-user-pass-verify, it will spawn a shell or a process. This script (and shell) or the binary executable which OpenVPN will start must be found inside the chroot. So, if you use

Code: Select all

--chroot /var/lib/openvpn --auth-user-pass-verify /bin/authenticate-user.sh
Then the authenticate-user.sh must be located under /var/lib/openvpn/bin. But! All the library dependencies your shell/binary executable depends on must also be found inside the chroot. So for bash, that will require at least these files:

Code: Select all

$ ldd $(which bash)
	linux-vdso.so.1 =>  (0x00007fffa07ed000)
	libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f95ed42e000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f95ed22a000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f95ece68000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f95ed67a000)
So you need /var/lib/openvpn/lib64 and it must contain a copy of /lib64/libtinfo.so.5, /lib64/libdl.so.2, /lib64/libc.so.6 and /lib64/ld-linux-x86-64.so.2. By the way, what you will need, will probably differ unless you use the same distribution as I do. But ... also this is often not enough, as you may need to have ldconfig inside the chroot, including /etc/ld.so.conf ... and you probably need to execute ldconfig inside the chroot to have everything setup for the dynamic shared object loader. And then your authentication script might work.

As you see, this gets quickly fairly complicated. And don't get me started on needed dependencies if you use a Perl or Python script. Which is also why it is recommended to use --plugin instead when wanting --chroot. When using --plugin, it is loaded (including all it's shared object dependencies) before the chroot() happens, so everything needed will be in memory during the lifetime of the OpenVPN process.
Thanks a lot I will try your suggestion !!!!!

Re: --auth-user-pass-verify is external command under chroot

Posted: Fri Dec 30, 2016 9:38 am
by cd_open_vpn
dazo wrote:First of all ... /etc/openvpn is not a proper place to chroot into. Normally you should chroot into a directory you've created, most commonly a subdirectory under /var/lib, /var/run, /srv or somewhere where your distribution/OS prefers this to happen. Some distros even have /chroot.

Secondly, this behaviour is expected. When you use --auth-user-pass-verify, it will spawn a shell or a process. This script (and shell) or the binary executable which OpenVPN will start must be found inside the chroot. So, if you use

Code: Select all

--chroot /var/lib/openvpn --auth-user-pass-verify /bin/authenticate-user.sh
Then the authenticate-user.sh must be located under /var/lib/openvpn/bin. But! All the library dependencies your shell/binary executable depends on must also be found inside the chroot. So for bash, that will require at least these files:

Code: Select all

$ ldd $(which bash)
	linux-vdso.so.1 =>  (0x00007fffa07ed000)
	libtinfo.so.5 => /lib64/libtinfo.so.5 (0x00007f95ed42e000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f95ed22a000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f95ece68000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f95ed67a000)
So you need /var/lib/openvpn/lib64 and it must contain a copy of /lib64/libtinfo.so.5, /lib64/libdl.so.2, /lib64/libc.so.6 and /lib64/ld-linux-x86-64.so.2. By the way, what you will need, will probably differ unless you use the same distribution as I do. But ... also this is often not enough, as you may need to have ldconfig inside the chroot, including /etc/ld.so.conf ... and you probably need to execute ldconfig inside the chroot to have everything setup for the dynamic shared object loader. And then your authentication script might work.

As you see, this gets quickly fairly complicated. And don't get me started on needed dependencies if you use a Perl or Python script. Which is also why it is recommended to use --plugin instead when wanting --chroot. When using --plugin, it is loaded (including all it's shared object dependencies) before the chroot() happens, so everything needed will be in memory during the lifetime of the OpenVPN process.
I have chaged --auth-user-pass-verify to plugin ... now my server is able to authenticate users with chroot option ...... thanks a lot