Backports update broke PAM authentication
Posted: Tue Mar 20, 2018 8:40 am
I have reported the bug here https://community.openvpn.net/openvpn/t ... 045#ticket
I updated my openvpn package installed using apt on Debian Stretch (currently on 2.4.0-6+deb9u2) to the 2.4.4 that is contained in stretch backports repository.
The update seemed to go fine, with no reported errors.
However, upon testing the actual server connection after the update, the update had broken the Multi Factor Authentication I had had setup using PAM to authenticate using the user password as well as a OTP code generated by google authenticator.
What was strange was that when I went into the log to investigate, I found that it was reporting that /usr/lib/openvpn/openvpn-plugin-auth-pam.so was missing, and I then discovered that the entire /usr/lib/openvpn directory had disappeared as a result of the update, which I thought was very strange.
I thought it would be as simple a fix as copying over the /usr/lib/openvpn directory and its contents from a .img backup I had of my debian installation. Whilst this fixed the missing file problem, the google-authenticator part of the module was no longer working, and authentication was failing every time.
It was not until I commented out
from /etc/pam.d/openvpn that I was able to connect using PAM, but it was now only asking for my password. Something about the update to 2.4.4 messed with the directory that openvpn-plugin-auth-pam.so is contained in, and also the interaction between PAM and google authenticator.
I updated my openvpn package installed using apt on Debian Stretch (currently on 2.4.0-6+deb9u2) to the 2.4.4 that is contained in stretch backports repository.
The update seemed to go fine, with no reported errors.
However, upon testing the actual server connection after the update, the update had broken the Multi Factor Authentication I had had setup using PAM to authenticate using the user password as well as a OTP code generated by google authenticator.
What was strange was that when I went into the log to investigate, I found that it was reporting that /usr/lib/openvpn/openvpn-plugin-auth-pam.so was missing, and I then discovered that the entire /usr/lib/openvpn directory had disappeared as a result of the update, which I thought was very strange.
I thought it would be as simple a fix as copying over the /usr/lib/openvpn directory and its contents from a .img backup I had of my debian installation. Whilst this fixed the missing file problem, the google-authenticator part of the module was no longer working, and authentication was failing every time.
It was not until I commented out
Code: Select all
auth required pam_google_authenticator.so forward_pass