pam authentication

[fthomas]

Dear all,

this might be off topic, since strictly speaking it is not about the openvpn server but rather how the authentication should happen via PAM.
The reason I'm posting here is because I've build the server myself (2.4.1) rather than using the one that is packages with my OS (Ubuntu Xenial)

In a nutshell :
My OS : Ubuntu Xenial x86_64
Open VPN 2.4.1 I've configured it with : ./configure --prefix=/opt/openvpn-2.4.1 --enable-systemd --enable-plugin-auth-pam
My server.conf :

Code: Select all

port 1194
proto udp4
dev tun
ca /opt/openvpn-2.4.1/etc/ssl/ca.cer
cert /opt/openvpn-2.4.1/etc/ssl/inter.cer
key /opt/openvpn-2.4.1/etc/ssl/inter.prv.key  # This file should be kept secret
dh /opt/openvpn/etc/ssl/dh2048.pem
server 10.18.18.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-128-CBC
persist-key
persist-tun
comp-lzo
explicit-exit-notify 1
user vpnd
group nogroup
plugin /opt/openvpn/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
verb 256
status	/opt/openvpn/log/status.log
log	/opt/openvpn/log/server.log

My openvpn PAM config (/etc/pam.d/openvpn)

Code: Select all

auth    required        pam_permit.so
account required      pam_permit.so

Now, of course I understand that that there is not much authentication involved in this setup but the weird this that even like this, when I try to connect to the server I get "AUTH: Received control message: AUTH_FAILED", so I must be doing something fundamentally wrong.

My connection command :

Code: Select all

sudo /usr/sbin/openvpn --verb 3 --remote myserv --comp-lzo --dev tun --auth-user-pass --cipher AES-128-CBC --client --ca /home/thf/temp/certs/ca.cer

Of course I've also tried with pam_uinx but I got the same result (even after providing a username & password that works for ssh

Can anybody give me a hint ?

[TiTex]

Code: Select all

auth    required        pam_permit.so
account required      pam_permit.so

why would you want to do that ?
in any case , you'll need to include the session group too , and even so i'm not sure it will work with openvpn

Code: Select all

auth    required        pam_permit.so
account required      pam_permit.so
session required pam_permit.so

[fthomas]

Indeed you got a point, not much authentication in that, I just wanted to have a baseline environment working. From there I intend to work my way up to LDAP authentication.

Anyway, the point is that even with this setup (all service with pam_permit) I still get " AUTH_FAILED".
Shouldn't this be working (no matter what username & password) I provide ?

Alternatively can you suggest the simplest pam setup based on pam_unix (so that username/password would be taken into account) ?

[TiTex]

you need a valid user account , you can use the 'login' service/file as a template if you want PAM authentication
you can also set up PAM to get user accounts from LDAP and still use the openvpn pam module for authentication , but first i suggest reading more about PAM , and then check out ubuntu's documentation about setting up LDAP authentication with pam modules , and adapt it to the openvpn service.

[TiTex]

It turns out that you don't need the session group or a valid username for the pam_permit with openvpn , that's strange
anyhow it seems you're doing something wrong

configs used with centos 7 (openvpn 2.4.1) server and windows client
server config

Code: Select all

dev tun
proto udp
port 1194
topology subnet
server 10.11.11.0 255.255.255.0
keepalive 10 60
persist-tun
persist-key
log-append server.log
verb 7
ca ca.crt
cert server.crt
key server.key
dh dh.pem
verify-client-cert none
username-as-common-name

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

/etc/pam.d/openvpn - DO NOT USE THIS IN A LIVE SERVER

Code: Select all

auth    required        pam_permit.so
account required      pam_permit.so

client config

Code: Select all

client
dev tun
proto udp
remote remote-ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ca ca.crt

AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: sdfds
PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
TLS: Username/Password authentication succeeded for username 'sdfds' [CN SET]

[fthomas]

Dears,

I've noticed that if I start the server from the command line (as opposed to systemd) the authentication does work.
Then I found this : https://bugs.launchpad.net/ubuntu/+sour ... ug/1511524

Following what's described there, I've added CAP_AUDIT_WRITE to the CapabilityBoundingSet in the systemd unit file, and voila... I can authenticate

[TiTex]

i used systemd to start the service
although the unit files differ between rhel based distros and debian based ones