Hi,
I am trying to use Google Authenticator with PAM (end goal is LDAP/AD) but it always fails with interaction issues between GA and PAM it seems.
GA alone works fine
auth requisite pam_google_authenticator.so
#auth required pam_unix.so use_first_pass
#@include common-auth
PAM alone works fine
#auth requisite pam_google_authenticator.so
#auth required pam_unix.so use_first_pass
@include common-auth
I'm using the following:
Ubuntu 12.04 LTS (AWS version)
openvpn-as-2.0.7-Ubuntu12.amd_64.deb
libpam-google-authenticator-1.0-source
I have installed libpam0g-dev libqrencode3 libpam0g
when I compiled google-authenticator I added the following to Makefile
LDFLAGS="-lpam"
I added the following to as.conf
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpnas
auth requisite pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass (with or without use_first_pass)
#@include common-auth
I have left the rest of the openvpnas pam file unchanged (I did not comment out the other @)
when I put the right password+PIN (on the WebUI admin)
Jun 4 00:38:03 amsterdam python: pam_unix(openvpnas:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=test-aws rhost=127.0.0.1 user=test-aws
when I put the wrong PIN (on the WebUI admin)
Jun 4 00:40:17 amsterdam openvpnas(pam_google_authenticator)[4553]: Invalid verification code
When I use the openVPN client with "static-challenge "Enter Google Authenticator Code" 1" I get
Jun 4 00:54:16 amsterdam openvpnas(pam_google_authenticator)[4943]: Invalid verification code
When I don't use the verification code box
Jun 4 00:56:10 amsterdam openvpnas(pam_google_authenticator)[4943]: Invalid verification code (auth requisite pam_google_authenticator.so)
Jun 4 00:56:51 amsterdam python: pam_unix(openvpnas:auth): authentication failure; logname= uid=0 euid=0 tty= ruser=test-aws rhost=127.0.0.1 user=test-aws (auth requisite pam_google_authenticator.so forward_pass)
I also get some logs in /var/log/openvpnas.log
2014-06-04 00:58:10+0000 [-] VPN Auth Failed: 'PAM auth failed: Cannot make/remove an entry for the specified session' [None]
2014-06-04 00:58:10+0000 [-] OVPN 1 OUT: 'Wed Jun 4 00:58:10 2014 MANAGEMENT: CMD \'client-deny 0 0 "AS auth failed"\''
2014-06-04 00:58:10+0000 [-] OVPN 1 OUT: 'Wed Jun 4 00:58:10 2014 MULTI: connection rejected: AS auth failed, CLI:[NULL]'
2014-06-04 00:58:12+0000 [-] OVPN 1 OUT: 'Wed Jun 4 00:58:12 2014 203.145.33.70:10225 Delayed exit in 5 seconds'
2014-06-04 00:58:12+0000 [-] OVPN 1 OUT: "Wed Jun 4 00:58:12 2014 203.145.33.70:10225 SENT CONTROL [test-aws]: 'AUTH_FAILED' (status=1)"
Google Authenticator not working with PAM
-
- OpenVpn Newbie
- Posts: 4
- Joined: Fri May 16, 2014 5:21 am
-
- OpenVpn Newbie
- Posts: 4
- Joined: Fri May 16, 2014 5:21 am
Re: Google Authenticator not working with PAM
just to add that GA works fine with sshd
-
- OpenVpn Newbie
- Posts: 4
- Joined: Fri May 16, 2014 5:21 am
Re: Google Authenticator not working with PAM
alright, I started over with a new VM.
it still isn't working but I can now use PASSWORD+PIN to log onto the WebUI, however when I try to use the openVPN client it says:
2014-06-04 04:04:36+0000 [-] OVPN 1 OUT: 'Wed Jun 4 04:04:36 2014 MULTI: connection rejected: AS auth failed, CLI:Google Authenticator must be set up for VPN access'
new /etc/pam.d/openvpnas
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
All @ are commented out
/usr/local/openvpn_as/etc/as.conf includes
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpnas
root@prague:/usr/local/openvpn_as/scripts# ./confdba -us
{
"__DEFAULT__": {
"def_deny": "false",
"prop_autogenerate": "true",
"type": "user_default"
},
"test-aws": {
"prop_superuser": "true",
"type": "user_compile"
},
"test-aws-admin": {
"prop_google_auth": "false",
"prop_superuser": "true",
"type": "user_compile"
}
}
it still isn't working but I can now use PASSWORD+PIN to log onto the WebUI, however when I try to use the openVPN client it says:
2014-06-04 04:04:36+0000 [-] OVPN 1 OUT: 'Wed Jun 4 04:04:36 2014 MULTI: connection rejected: AS auth failed, CLI:Google Authenticator must be set up for VPN access'
new /etc/pam.d/openvpnas
auth required pam_google_authenticator.so forward_pass
auth required pam_unix.so use_first_pass
All @ are commented out
/usr/local/openvpn_as/etc/as.conf includes
plugin /usr/lib/openvpn/openvpn-auth-pam.so /etc/pam.d/openvpnas
root@prague:/usr/local/openvpn_as/scripts# ./confdba -us
{
"__DEFAULT__": {
"def_deny": "false",
"prop_autogenerate": "true",
"type": "user_default"
},
"test-aws": {
"prop_superuser": "true",
"type": "user_compile"
},
"test-aws-admin": {
"prop_google_auth": "false",
"prop_superuser": "true",
"type": "user_compile"
}
}
-
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jul 29, 2015 9:18 pm
Re: Google Authenticator not working with PAM
Hello,
I have same problem, I installed fresh OpenVPN AS virtual image (VMWare) added a new user tried VPN with auto generated CERT+PASS .opvn config file from OpenVPN GUI, all was fine.
Then I activated GA, I retrieved QR Code to GA Android, then Web UI + GA access worked fine but no way to connect thru OpenVPN GUI using pass+6digit
always get something like :
2015-07-29 23:27:48+0200 [-] VPN Auth Failed: 'PAM auth failed: Authentication failure' [None]
2015-07-29 23:27:48+0200 [-] OVPN 2 OUT: 'Wed Jul 29 21:27:48 2015 MANAGEMENT: CMD \'client-deny 0 0 "AS auth failed"\''
and auth.log show no more that a failed login line
Jul 29 23:27:48 localhost python: pam_unix(openvpnas:auth): authentication failure; ....
Is there something mising when using PAM ?
regards.
I have same problem, I installed fresh OpenVPN AS virtual image (VMWare) added a new user tried VPN with auto generated CERT+PASS .opvn config file from OpenVPN GUI, all was fine.
Then I activated GA, I retrieved QR Code to GA Android, then Web UI + GA access worked fine but no way to connect thru OpenVPN GUI using pass+6digit
always get something like :
2015-07-29 23:27:48+0200 [-] VPN Auth Failed: 'PAM auth failed: Authentication failure' [None]
2015-07-29 23:27:48+0200 [-] OVPN 2 OUT: 'Wed Jul 29 21:27:48 2015 MANAGEMENT: CMD \'client-deny 0 0 "AS auth failed"\''
and auth.log show no more that a failed login line
Jul 29 23:27:48 localhost python: pam_unix(openvpnas:auth): authentication failure; ....
Is there something mising when using PAM ?
regards.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Wed Jul 29, 2015 9:18 pm
Re: Google Authenticator not working with PAM
Hello,
(apparently my first post did not appear in this thread so I repost)
I do have same problem I installed OpenVPN AS VMWare image, added a new PAM user, got prebuild .ovpn, added it to OpenVPN GUI all fine.
I activated Google Authenticator, installed Android GA, retrieved the key for my new user PAM account, could login into WEB UI using GA code all fine also.
but I cannot connect thru OpenVPN using my pass+6DigitsGA
Any idea ? I thought OpenVPN AS was fully GA compatible ? has it something to do into with PAM ?
Log extract :
2015-07-30 21:49:42+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:42 2015 xx.xx.xx.xx:50704 [dodvpn] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:50704'
2015-07-30 21:49:42+0200 [-] VPN Auth Failed: 'PAM auth failed: Authentication failure' [None]
2015-07-30 21:49:42+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:42 2015 MANAGEMENT: CMD \'client-deny 3 0 "AS auth failed"\''
2015-07-30 21:49:42+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:42 2015 MULTI: connection rejected: AS auth failed, CLI:[NULL]'
2015-07-30 21:49:45+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:45 2015 xx.xx.xx.xx:50704 Delayed exit in 5 seconds'
2015-07-30 21:49:45+0200 [-] OVPN 2 OUT: "Thu Jul 30 19:49:45 2015 xx.xx.xx.xx:50704 SENT CONTROL [user1]: 'AUTH_FAILED' (status=1)"
regards.
(apparently my first post did not appear in this thread so I repost)
I do have same problem I installed OpenVPN AS VMWare image, added a new PAM user, got prebuild .ovpn, added it to OpenVPN GUI all fine.
I activated Google Authenticator, installed Android GA, retrieved the key for my new user PAM account, could login into WEB UI using GA code all fine also.
but I cannot connect thru OpenVPN using my pass+6DigitsGA
Any idea ? I thought OpenVPN AS was fully GA compatible ? has it something to do into with PAM ?
Log extract :
2015-07-30 21:49:42+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:42 2015 xx.xx.xx.xx:50704 [dodvpn] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:50704'
2015-07-30 21:49:42+0200 [-] VPN Auth Failed: 'PAM auth failed: Authentication failure' [None]
2015-07-30 21:49:42+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:42 2015 MANAGEMENT: CMD \'client-deny 3 0 "AS auth failed"\''
2015-07-30 21:49:42+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:42 2015 MULTI: connection rejected: AS auth failed, CLI:[NULL]'
2015-07-30 21:49:45+0200 [-] OVPN 2 OUT: 'Thu Jul 30 19:49:45 2015 xx.xx.xx.xx:50704 Delayed exit in 5 seconds'
2015-07-30 21:49:45+0200 [-] OVPN 2 OUT: "Thu Jul 30 19:49:45 2015 xx.xx.xx.xx:50704 SENT CONTROL [user1]: 'AUTH_FAILED' (status=1)"
regards.