Page 1 of 1

Backports update broke PAM authentication

Posted: Tue Mar 20, 2018 8:40 am
by jimdoe
I have reported the bug here https://community.openvpn.net/openvpn/t ... 045#ticket

I updated my openvpn package installed using apt on Debian Stretch (currently on 2.4.0-6+deb9u2) to the 2.4.4 that is contained in stretch backports repository.

The update seemed to go fine, with no reported errors.

However, upon testing the actual server connection after the update, the update had broken the Multi Factor Authentication I had had setup using PAM to authenticate using the user password as well as a OTP code generated by google authenticator.

What was strange was that when I went into the log to investigate, I found that it was reporting that /usr/lib/openvpn/openvpn-plugin-auth-pam.so was missing, and I then discovered that the entire /usr/lib/openvpn directory had disappeared as a result of the update, which I thought was very strange.

I thought it would be as simple a fix as copying over the /usr/lib/openvpn directory and its contents from a .img backup I had of my debian installation. Whilst this fixed the missing file problem, the google-authenticator part of the module was no longer working, and authentication was failing every time.

It was not until I commented out

Code: Select all

auth required pam_google_authenticator.so forward_pass
from /etc/pam.d/openvpn that I was able to connect using PAM, but it was now only asking for my password. Something about the update to 2.4.4 messed with the directory that openvpn-plugin-auth-pam.so is contained in, and also the interaction between PAM and google authenticator.

Re: Backports update broke PAM authentication

Posted: Tue Mar 20, 2018 12:28 pm
by TinCanTech

Re: Backports update broke PAM authentication

Posted: Tue Mar 20, 2018 1:57 pm
by jimdoe
I can confirm that 2.4.5 works with PAM and google-authenticator. Unfortunately this meant having to compile and install the software myself. I was hoping to install a more updated version of OpenVPN using the debian repos (hence my use of stretch backports). I have an armhf device, so can't use the official OpenVPN repos.

Oh well, guess I shall have to make do with self compiling. I try and avoid it mainly for simplicity's sake and ease of use (and time saving!), but seeing as openvpn is the one service that I have exposed to the internet, I like to have it as updated as possible, so I suppose I will have to get used to self-compiling openvpn rather than relying on the repos.

Hopefully I may have helped by noticing this bug and reporting it though?

Re: Backports update broke PAM authentication

Posted: Tue Mar 20, 2018 2:33 pm
by TinCanTech
jimdoe wrote:
Tue Mar 20, 2018 1:57 pm
I can confirm that 2.4.5 works with PAM and google-authenticator.
Thanks
jimdoe wrote:
Tue Mar 20, 2018 1:57 pm
Unfortunately this meant having to compile and install the software myself. I was hoping to install a more updated version of OpenVPN using the debian repos (hence my use of stretch backports). I have an armhf device, so can't use the official OpenVPN repos.
OK.
jimdoe wrote:
Tue Mar 20, 2018 1:57 pm
Oh well, guess I shall have to make do with self compiling. I try and avoid it mainly for simplicity's sake and ease of use (and time saving!), but seeing as openvpn is the one service that I have exposed to the internet, I like to have it as updated as possible, so I suppose I will have to get used to self-compiling openvpn rather than relying on the repos.
That is a good idea.
jimdoe wrote:
Tue Mar 20, 2018 1:57 pm
Hopefully I may have helped by noticing this bug and reporting it though?
By the sound of it, this is not so much a bug in openvpn but the debian package for your device.

However, 2.4.5 has been a fairly major release and I do not believe there is anything new on the horizon currently, so your upstream package should get updated fairly soon (hopefully). It may be worth letting those people know.

Also, could you please update the openvpn ticket with this new info .. thanks 8-)

Re: Backports update broke PAM authentication

Posted: Tue Mar 20, 2018 3:08 pm
by jimdoe
Ah, apologies. I thought this was the place to report bugs in the debian packages too, but I see now that they have different maintainers and different bug reporting methods. My bad.

Will update the openvpn bug ticket this evening.

Thanks for your help.