Google Authenticator not working with PAM

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
seby24
OpenVpn Newbie
Posts: 4
Joined: Fri May 16, 2014 5:21 am

Google Authenticator not working with PAM

Post by seby24 » Wed Jun 04, 2014 1:00 am

Hi,

I am trying to use Google Authenticator with PAM (end goal is LDAP/AD) but it always fails with interaction issues between GA and PAM it seems.
GA alone works fine
auth requisite pam_google_authenticator.so
#auth required pam_unix.so use_first_pass
#@include common-auth

PAM alone works fine
#auth requisite pam_google_authenticator.so
#auth required pam_unix.so use_first_pass
@include common-auth

I'm using the following:
Ubuntu 12.04 LTS (AWS version)
openvpn-as-2.0.7-Ubuntu12.amd_64.deb
libpam-google-authenticator-1.0-source
I have installed libpam0g-dev libqrencode3 libpam0g

when I compiled google-authenticator I added the following to Makefile
LDFLAGS="-lpam"

I added the following to as.conf
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpnas

auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass (with or without use_first_pass)
#@include common-auth

I have left the rest of the openvpnas pam file unchanged (I did not comment out the other @)

when I put the right password+PIN (on the WebUI admin)
Jun 4 00:38:03 amsterdam python: pam_unix(openvpnas:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=test-aws rhost=127.0.0.1 user=test-aws

when I put the wrong PIN (on the WebUI admin)
Jun 4 00:40:17 amsterdam openvpnas(pam_google_authenticator)[4553]: Invalid verification code

When I use the openVPN client with "static-challenge "Enter Google Authenticator Code" 1" I get
Jun 4 00:54:16 amsterdam openvpnas(pam_google_authenticator)[4943]: Invalid verification code

When I don't use the verification code box
Jun 4 00:56:10 amsterdam openvpnas(pam_google_authenticator)[4943]: Invalid verification code (auth requisite pam_google_authenticator.so)
Jun 4 00:56:51 amsterdam python: pam_unix(openvpnas:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=test-aws rhost=127.0.0.1 user=test-aws (auth requisite pam_google_authenticator.so forward_pass)

I also get some logs in /var/log/openvpnas.log
2014-06-04 00:58:10+0000 [-] VPN Auth Failed: 'PAM auth failed: Cannot make/remove an entry for the specified session' [None]
2014-06-04 00:58:10+0000 [-] OVPN 1 OUT: 'Wed Jun 4 00:58:10 2014 MANAGEMENT: CMD \'client-deny 0 0 "AS auth failed"\''
2014-06-04 00:58:10+0000 [-] OVPN 1 OUT: 'Wed Jun 4 00:58:10 2014 MULTI: connection rejected: AS auth failed, CLI:[NULL]'
2014-06-04 00:58:12+0000 [-] OVPN 1 OUT: 'Wed Jun 4 00:58:12 2014 203.145.33.70:10225 Delayed exit in 5 seconds'
2014-06-04 00:58:12+0000 [-] OVPN 1 OUT: "Wed Jun 4 00:58:12 2014 203.145.33.70:10225 SENT CONTROL [test-aws]: 'AUTH_FAILED' (status=1)"

seby24
OpenVpn Newbie
Posts: 4
Joined: Fri May 16, 2014 5:21 am

Re: Google Authenticator not working with PAM

Post by seby24 » Wed Jun 04, 2014 1:40 am

just to add that GA works fine with sshd

seby24
OpenVpn Newbie
Posts: 4
Joined: Fri May 16, 2014 5:21 am

Re: Google Authenticator not working with PAM

Post by seby24 » Wed Jun 04, 2014 4:12 am

alright, I started over with a new VM.
it still isn't working but I can now use PASSWORD+PIN to log onto the WebUI, however when I try to use the openVPN client it says:

2014-06-04 04:04:36+0000 [-] OVPN 1 OUT: 'Wed Jun 4 04:04:36 2014 MULTI: connection rejected: AS auth failed, CLI:Google Authenticator must be set up for VPN access'

new /etc/pam.d/openvpnas

auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass

All @ are commented out

/usr/local/openvpn_as/etc/as.conf includes

plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpnas

root@prague:/usr/local/openvpn_as/scripts# ./confdba -us
{
"__DEFAULT__": {
"def_deny": "false",
"prop_autogenerate": "true",
"type": "user_default"
},
"test-aws": {
"prop_superuser": "true",
"type": "user_compile"
},
"test-aws-admin": {
"prop_google_auth": "false",
"prop_superuser": "true",
"type": "user_compile"
}
}

dodfr
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 29, 2015 9:18 pm

Re: Google Authenticator not working with PAM

Post by dodfr » Wed Jul 29, 2015 9:39 pm

Hello,

I have same problem, I installed fresh OpenVPN AS virtual image (VMWare) added a new user tried VPN with auto generated CERT+PASS .opvn config file from OpenVPN GUI, all was fine.

Then I activated GA, I retrieved QR Code to GA Android, then Web UI + GA access worked fine but no way to connect thru OpenVPN GUI using pass+6digit

always get something like :

2015-07-29 23:27:48+0200 [-] VPN Auth Failed: 'PAM auth failed: Authentication failure' [None]
2015-07-29 23:27:48+0200 [-] OVPN 2 OUT: 'Wed Jul 29 21:27:48 2015 MANAGEMENT: CMD \'client-deny 0 0 "AS auth failed"\''

and auth.log show no more that a failed login line

Jul 29 23:27:48 localhost python: pam_unix(openvpnas:auth): authentication failure; ....

Is there something mising when using PAM ?

regards.

dodfr
OpenVpn Newbie
Posts: 2
Joined: Wed Jul 29, 2015 9:18 pm

Re: Google Authenticator not working with PAM

Post by dodfr » Thu Jul 30, 2015 8:02 pm

Hello,

(apparently my first post did not appear in this thread so I repost)

I do have same problem I installed OpenVPN AS VMWare image, added a new PAM user, got prebuild .ovpn, added it to OpenVPN GUI all fine.

I activated Google Authenticator, installed Android GA, retrieved the key for my new user PAM account, could login into WEB UI using GA code all fine also.

but I cannot connect thru OpenVPN using my pass+6DigitsGA :-(

Any idea ? I thought OpenVPN AS was fully GA compatible ? has it something to do into with PAM ?

Log extract :

2015-07-30 21:49:42+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:42 2015 xx.xx.xx.xx:50704 [dodvpn] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:50704'
2015-07-30 21:49:42+0200 [-] VPN Auth Failed: 'PAM auth failed: Authentication failure' [None]
2015-07-30 21:49:42+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:42 2015 MANAGEMENT: CMD \'client-deny 3 0 "AS auth failed"\''
2015-07-30 21:49:42+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:42 2015 MULTI: connection rejected: AS auth failed, CLI:[NULL]'
2015-07-30 21:49:45+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:45 2015 xx.xx.xx.xx:50704 Delayed exit in 5 seconds'
2015-07-30 21:49:45+0200 [-] OVPN 2 OUT: "Thu Jul 30 19:49:45 2015 xx.xx.xx.xx:50704 SENT CONTROL [user1]: 'AUTH_FAILED' (status=1)"

regards.

Post Reply