Business solution to host your own OpenVPN server with web management interface and bundled clients.
-
mvandenberg
- OpenVpn Newbie
- Posts: 6
- Joined: Wed Jan 17, 2018 4:52 pm
Post
by mvandenberg » Wed Mar 28, 2018 4:35 pm
Code: Select all
Mar 28 12:30:27 fake-hostname sshd[27789]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=fakeuser
Mar 28 12:30:27 fake-hostname sshd[27789]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=1.2.3.4 user=fakeuser
Mar 28 12:30:27 fake-hostname sshd[27787]: Accepted keyboard-interactive/pam for fakeuser from 1.2.3.4 port 37268 ssh2
Mar 28 12:30:27 fake-hostname sshd[27787]: pam_unix(sshd:session): session opened for user fakeuser by (uid=0)
I am attempting to remove "pam_unix(sshd:auth): authentication failure;". I followed the instructions documented here
https://access.redhat.com/solutions/881103 )changes below) but this cause out OpenVPN logings to fail as we need to use pam_unix authentication in order to use the Google Auth code..
Code: Select all
$ diff /etc/pam.d/system-auth-ac ./system-auth-ac.orig
5d4
< auth [default=1 success=ok] pam_localuser.so
8c7
< auth sufficient pam_sss.so forward_pass
[code]
[code]
$ diff /etc/pam.d/password-auth-ac ./password-auth-ac.orig
5d4
< auth [default=1 success=ok] pam_localuser.so
8c7
< auth sufficient pam_sss.so forward_pass
[code]
Let me know if you have any ideas.
-
novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Post
by novaflash » Wed Apr 04, 2018 8:33 am
Try elsewhere on the forums here, because you are currently on the support forum for the commercial OpenVPN Access Server product, not the open source OpenVPN project, that is handled elsewhere. Also, what does this really have to do with OpenVPN? Shouldn't you be talking to folks from the PAM project or looking into documentation for PAM instead?
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
mvandenberg
- OpenVpn Newbie
- Posts: 6
- Joined: Wed Jan 17, 2018 4:52 pm
Post
by mvandenberg » Thu Apr 05, 2018 8:05 pm
We are using the commercial OpenVPN Access Server product.
Code: Select all
Name : openvpn-as Relocations: (not relocatable)
Version : 2.1.12 Vendor: (none)
Release : CentOS6.9 Build Date: Wed 30 Aug 2017 05:14:06 PM EDT
Install Date: Mon 26 Mar 2018 10:37:37 PM EDT Build Host: buildsys
Group : Network/Platform Source RPM: openvpn-as-2.1.12-CentOS6.9.src.rpm
Size : 75656053 License: Commercial
Signature : (none)
Summary : openvpn-as
Description :
Sorry to have bother you. It seemed applicable since changes to PAM affected OpenVPN. I'll figure it out and when I find a solution I'll post it here.
-
novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Post
by novaflash » Fri Apr 06, 2018 7:17 am
Well, alright then, if you are using the OpenVPN Access Server, then why not just go to the Client Settings page in the Admin UI, tick the 'Enable Google Authenticator' box, and be done with it? Because that is really literally all you need to do to enable Google Authenticator on Access Server. There is no need to mess with PAM. That is only needed on the open source version.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
-
mvandenberg
- OpenVpn Newbie
- Posts: 6
- Joined: Wed Jan 17, 2018 4:52 pm
Post
by mvandenberg » Mon Apr 09, 2018 4:34 pm
This is not a question of how to enable google authentication. The problem is we have LDAP authentication enabled (not local) on our servers and as such PAM is generating the following log, "pam_unix(sshd:auth): authentication failure" on SUCCESSFUL ssh logins. Our systems are monitored and this log has generated confusion because it appears logins are failing but they are not. This error is generated during ssh login because PAM is first checked locally (which fails) and then LDAP for authentication (which is successful). The linked RedHat solution
https://access.redhat.com/solutions/881103 solves this and when implemented the log no longer appears with ssh logins continuing to be successful. However the issue is, when this change is implemented logins through OpenVPN Connect clients to the OpenVPN AS no longer function. Hence why I asked here to get a better understanding of how OpenVPN AS and PAM integrates or not as the case maybe.
As I said, I'll figure it out and once I do report back here.
-
novaflash
- OpenVPN Inc.
- Posts: 1073
- Joined: Fri Apr 13, 2012 8:43 pm
Post
by novaflash » Mon Apr 09, 2018 4:52 pm
Okay, then it seems it's not actually a problem in Access Server, in my humble opinion. Good luck!
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.