Can't get pam authentication to work

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
jdh28
OpenVpn Newbie
Posts: 5
Joined: Mon Jul 17, 2017 9:54 am

Can't get pam authentication to work

Post by jdh28 » Mon Jul 17, 2017 10:43 am

I'm running openvpn 2.4.0 on Debian Stretch. Ultimately I want to authenticate against Active Directory using Kerberos, but as that wasn't working, I disabled pam_krb5 and I'm just attempting to authenticate with a local user.

Currently, I get the error:

Code: Select all

AUTH-PAM: BACKGROUND: user 'john' failed to authenticate: System error
10.21.43.233:50183 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
10.21.43.233:50183 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
10.21.43.233:50183 TLS Auth Error: Auth Username/Password verification failed for peer
In the auth.log, I see

Code: Select all

openvpn: PAM audit_log_acct_message() failed: Operation not permitted
My server configuration is:
Server Config
port 1194
proto udp
dev tun0
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.21.44.0 255.255.255.0
ifconfig-pool-persist /var/local/openvpn/ipp.txt
push "route 10.21.42.0 255.255.255.0"
push "route 93.93.129.77 255.255.255.255"
push "route 46.235.225.158 255.255.255.255"
route 10.21.45.0 255.255.255.0
push "dhcp-option DNS 10.21.44.1"
push "dhcp-option DOMAIN ctg.local"
duplicate-cn
push "ping-restart 0"
comp-lzo
user openvpn
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3
crl-verify crl.pem
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn
And /etc/pam.d/openvpn looks like this:
PAM config
auth required pam_unix.so shadow nodelay debug
account required pam_unix.so debug
I used sasl2 to test the PAM configuration, and it seems to be working correctly for the local user:

Code: Select all

# saslauthd -d -a pam -m /var/run/saslauthd &
# testsaslauthd -u john -p ******** -s openvpn

saslauthd[3357] :released accept lock
saslauthd[3367] :acquired accept lock
saslauthd[3357] :auth success: [user=john] [service=openvpn] [realm=] [mech=pam]
saslauthd[3357] :response: OK
0: OK "Success."

It seems that the 'Operation not permitted' error is then being reported by openvpn as a 'System error', but I don't know what I can do next to debug this any further.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can't get pam authentication to work

Post by TinCanTech » Mon Jul 17, 2017 4:59 pm

Try removing these from your server (to test) :
jdh28 wrote:

Code: Select all

user openvpn
group nogroup

jdh28
OpenVpn Newbie
Posts: 5
Joined: Mon Jul 17, 2017 9:54 am

Re: Can't get pam authentication to work

Post by jdh28 » Mon Jul 17, 2017 5:11 pm

Just tried removing the user and group lines, but still no joy.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Can't get pam authentication to work

Post by TinCanTech » Mon Jul 17, 2017 5:15 pm

And restart the server (just saying to make sure)

jdh28
OpenVpn Newbie
Posts: 5
Joined: Mon Jul 17, 2017 9:54 am

Re: Can't get pam authentication to work

Post by jdh28 » Tue Jul 18, 2017 8:51 am

Hi,

It's always good to make sure! I did restart it and to make sure I ran 'ps' to check that it was now running under root, which it was.

This morning, I ran openvpn manually under strace to try and shed more light on where it was going wrong, and lo and behold it worked! It turns out that the Debian systemd configuration is too restrictive. It has:

Code: Select all

CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE
By doing a binary chop on the full set of capabilities, I've been able to determine that CAP_AUDIT_WRITE is missing. Adding this enables openvpn to work. I'll file a bug with Debian.

Thanks for your help,
John

jdh28
OpenVpn Newbie
Posts: 5
Joined: Mon Jul 17, 2017 9:54 am

Re: Can't get pam authentication to work

Post by jdh28 » Tue Jul 18, 2017 9:07 am

This issue is that Debian and Openvpn both ship systemd unit definitions, and in fact there is a bug to that effect: https://bugs.debian.org/cgi-bin/bugrepo ... bug=866523. I was using the Openvpn one, but the Debian one does include the necessary additional capability.

User avatar
dazo
OpenVPN Inc.
Posts: 155
Joined: Mon Jan 11, 2010 10:14 am
Location: dazo :: #openvpn-devel @ libera.chat

Re: Can't get pam authentication to work

Post by dazo » Tue Jul 18, 2017 8:32 pm

Thanks for a great debugging! Yes, it is quite likely CAP_AUDIT_WRITE is lacking. I will look into that.

Please file this issue in the OpenVPN Trac instance, we try to ensure all distributions ship our openvpn-server@.service and openvpn-client@.service unit files unmodified. This is to ensure the behaviour is identical across all Linux systemd based distributions - something which is far more easy with systemd unit files than earlier. And feel free to assign it to me.

Just log into https://community.openvpn.net/openvpn using the same username/password as you use here on the forums and you can file a new bug.

jdh28
OpenVpn Newbie
Posts: 5
Joined: Mon Jul 17, 2017 9:54 am

Re: Can't get pam authentication to work

Post by jdh28 » Tue Jul 18, 2017 9:09 pm


Post Reply