OpenVPN sends encoded password with extrenious info in env

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
zonse
OpenVpn Newbie
Posts: 1
Joined: Sun Jun 07, 2015 7:43 am

OpenVPN sends encoded password with extrenious info in env

Post by zonse » Sun Jun 07, 2015 8:00 am

Hello,

I'm trying to setup OpenVPN to authenticate off of radius but am running into some problems with the OpenVPN's handling of the password. OpenVPN adds "SCRV1:" to the front of the password, base64 encodes the password, and attaches what looks to be some sort of challenge response to the password field as it's passed in the environment.

I can't for the life of me figure out if this is a setting in OpenVPN or just a bug. When I run the radiusplugin manually with the test env variables it authenticates properly.

server.conf
[quote]
local x.x.x.x

port 1194
proto tcp

# Which device
dev tun

user root
group root
persist-tun
persist-key

server 10.0.1.0 255.255.255.0
management 127.0.0.1 7505

#auth-user-pass-verify /etc/openvpn/auth-pam.pl via-env
username-as-common-name
client-cert-not-required
client-config-dir /etc/openvpn/ccd
client-to-client

push "redirect-gateway 206.217.193.166"
push "dhcp-option DOMAIN wizardvpn.com"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

ping-timer-rem
keepalive 10 60

# Use compression
#comp-lzo

#tls-server
#tls-auth /etc/openvpn/ssl/ta.key 0
dh /etc/openvpn/ssl/dh1024.pem
cert /etc/openvpn/ssl/server.crt
key /etc/openvpn/ssl/server.key
ca /etc/openvpn/ssl/ca.crt

verb 9
mute 20

topology net30

status /var/log/openvpn/status.log 1
log /var/log/openvpn/radiusvpn.log

#cipher BF-CBC
#auth SHA1

duplicate-cn

plugin /etc/openvpn/plugins/radiusplugin.so /etc/openvpn/radiusplugin.cnf

script-security 3
[/code]

Packet Received by Radius

Code: Select all

Received Access-Request Id 129 from x.x.x.x:55984 to x.x.x.x:1812 length 90
        User-Name = 'username'
        User-Password = 'SCRV1:dGVzdA==:Tm9uZQ=='
        NAS-IP-Address = 206.217.193.166
        NAS-Port = 1
        Service-Type = Outbound-User
        Calling-Station-Id = 'x.x.x.x'
        NAS-Identifier = 'OpenVpn'
        NAS-Port-Type = Virtual
The user-password is made split into "SCRV1 : base64 data : base64 data". The first set of base64 encoded data is the password. The is the environment variable that is received by the plugin from OpenVPN. This is the same if I use the pam radius plugin or the radiusplugin from OpenVPN.

What am I missing?

unblue
OpenVpn Newbie
Posts: 1
Joined: Tue Jan 28, 2020 10:13 pm

Re: OpenVPN sends encoded password with extrenious info in env

Post by unblue » Tue Jan 28, 2020 10:14 pm

Did you ever get a solution to this?!

It's driving me mad that openVPN + FreeRadius works fine on iOS, tests fine locally, but fails when a Windows 10 OpenVPN Connect client tries to connect. It's the same SCRV1:... entry being supplied and failing, and it's just because *something* is base64-encoding it!

rjj
OpenVpn Newbie
Posts: 1
Joined: Mon Feb 10, 2020 4:08 am

Re: OpenVPN sends encoded password with extrenious info in env

Post by rjj » Mon Feb 10, 2020 4:08 am

I am having the same issue. Is there a config setting I'm missing?

dorr13
OpenVpn Newbie
Posts: 12
Joined: Fri Jan 07, 2022 12:44 am

Re: OpenVPN sends encoded password with extrenious info in env

Post by dorr13 » Fri Jan 07, 2022 1:16 am

This: SCRV1 : base64 data : base64 data

occurs only when the client has static-challenge enabled.

CLIENT CONFIG:
client

static-challenge "Please enter authenticator pin:" 1


If that is removed, and the password and authenticator TOTP pin are concatenated in the password field, they will be sent without base64 encoding.

In my case, the concatenated password+TOTP works with the corresponding server config:

SERVER CONFIG:
server

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn_radius login USERNAME password PASSWORD"


The RADIUS server I am using allows splitting based on a separator character or can take the last n-characters as the TOTP value, but it doesn't know how to decode base64.

My clients would prefer the authenticator TOTP pin be entered via challenge, separate from the password, with TOTP echoed back if possible. So, I am stumbling over the problem of base64 encoding as well.

Is there a way to tell the client not to base64 encode? I guess the reason for encoding is to preserve special characters, but if it can be disabled, I might consider it.

Alternatively, is there a safe way to decode in the PAM stage?

TIA

dorr13
OpenVpn Newbie
Posts: 12
Joined: Fri Jan 07, 2022 12:44 am

Re: OpenVPN sends encoded password with extrenious info in env

Post by dorr13 » Fri Jan 14, 2022 12:40 am

openvpn-plugin-auth-pam.so is compiled from openvpn-plugin-auth-pam.c, which contains a function split_scrv1_password(), which (if invoked as appears to be intended) should check and conditionally call a plugin_base64_decode() function before handing the password to PAM.

In my case, from custom pam-script and from RADIUS logs, it is clear that the plugin_base64_decode() is either not called or is not processing correctly, because what is delivered to PAM is in the form SCRV1:base64_pass:base64_response. So, parsing of the user_pass structure seems broken.

I haven't found an error yet, but the behavior is such that openvpn-plugin-auth-pam.so doesn't consider the password to be encoded, so gives it to PAM and moves on.

User avatar
TinCanTech
Forum Team
Posts: 10692
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN sends encoded password with extrenious info in env

Post by TinCanTech » Fri Jan 14, 2022 1:12 am

dorr13 wrote:
Fri Jan 14, 2022 12:40 am
I haven't found an error yet, but the behavior is such that openvpn-plugin-auth-pam.so doesn't consider the password to be encoded, so gives it to PAM and moves on.
Are you also using a deferred auth method ?

dorr13
OpenVpn Newbie
Posts: 12
Joined: Fri Jan 07, 2022 12:44 am

Re: OpenVPN sends encoded password with extrenious info in env

Post by dorr13 » Sat Jan 15, 2022 8:34 pm

Negative - unless that is somehow default and non-obvious.

Comments in auth_pam.c indicate deferred auth occurs: "...if there is 'auth_control_file' and 'deferred_auth_pam' env." I have neither.

I notice a marked difference between client behavior when static-challenge is enabled versus when it is not used. When not used (when password and totp are concatenated in the password field), values are sent to PAM without base64 encoding. When static-challenge is enabled, values are sent to PAM encoded. From commit comments, I understand this is intentional.

From current auth_pam.c, it looks like openvpn-plugin-auth-pam.so is designed to receive password (and other details), check the password to see if it is base64 encoded, with the prefix "SCRV1:", and split/decode if appropriate before sending to PAM, but the decode doesn't occur. However, the values sent to PAM definitely still in the form: SCRV1:<base64_encoded_passwd>:<base64_encoded_response>

I am running OpenVPN 2.4.7 from packages on Debian 10.11

Thanks

User avatar
TinCanTech
Forum Team
Posts: 10692
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN sends encoded password with extrenious info in env

Post by TinCanTech » Sat Jan 15, 2022 9:18 pm

Does this help https://github.com/OpenVPN/openvpn/blob ... -notes.txt ?

scroll to the end ..

dorr13
OpenVpn Newbie
Posts: 12
Joined: Fri Jan 07, 2022 12:44 am

Re: OpenVPN sends encoded password with extrenious info in env

Post by dorr13 » Tue Jan 18, 2022 11:31 pm

Line 1224+ Static Protocol?

From what I can tell, that section accurately describes client/end-station behavior when static-challenge is used. With static-challenge, the client correctly encodes password and response and delivers it to the OpenVPN server.

The authentication plugin has to accept credentials which may or may not be base64 encoded. Since I am using RADIUS via PAM, the plugin openvpn-plugin-auth-pam.so makes sense.

From the source of auth-pam.c [source for openvpn-plugin-auth-pam.so], OpenVPN server is intended to receive credentials, test to see if they are base64 encoded, decode them if necessary, and then send them to PAM. Yet, the decode fails or does not occur. This seems to affect others using different platforms and versions as well.

I re-tried with static-challenge "Please enter PIN:" 1 in combination with a pam-script at the server to evaluate the result. OpenVPN sends the authentication information to PAM as "SCRV1:base64_passwd:base64_response", literally: SCRV1:bm90cmVhbHB3:MTIzNDU2 PAM doesn't do anything with the credentials but send them on to RADIUS, and RADIUS doesn't expect base64 encoded credentials, so authentication fails. The decode has to be handled by openvpn-plugin-auth-pam.so before credentials are sent to PAM in order to be successful.

I re-tried with auth-retry interact (without the static challenge). No base64 encoding was done, so authentication likely would have succeeded had I concatenated the password and TOTP, but there was no separate prompt for TOTP.

I re-tried with auth-retry interact (without the static challenge) - intentionally failing to concatenate password and TOTP on the first pass. I was re-prompted on failure, entered password concatenated with TOTP on the second pass and authenticated successfully. So, there is a place for this feature, but it doesn't do what I really need here.

I re-tried with both static-challenge "Please enter PIN:" 1 and auth-retry interact. In this case, base64 encoding is done, OpenVPN sends information to PAM base64 encoded, PAM sends it to RADIUS, and authentication fails.

I retried without static-challenge and without auth-retry interact, concatenated valid password and TOTP, and authentication succeeded. This has been my fall-back position, but is not favored because technologically disempowered clients have difficulty with the process of concatenation. Static-challenge is favored because it is more intuitive than concatenation.

Is there something else on that page that I am missing?

Thanks

User avatar
TinCanTech
Forum Team
Posts: 10692
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN sends encoded password with extrenious info in env

Post by TinCanTech » Wed Jan 19, 2022 12:47 am

dorr13 wrote:
Tue Jan 18, 2022 11:31 pm
From the source of auth-pam.c [source for openvpn-plugin-auth-pam.so], OpenVPN server is intended to receive credentials, test to see if they are base64 encoded, decode them if necessary, and then send them to PAM. Yet, the decode fails or does not occur.
That needs to be verified.

dorr13
OpenVpn Newbie
Posts: 12
Joined: Fri Jan 07, 2022 12:44 am

Re: OpenVPN sends encoded password with extrenious info in env

Post by dorr13 » Wed Jan 26, 2022 6:47 pm

Clarification and correction:

split_scrv1_password(): base64 split and decode functionality was added to openvpn-plugin-auth-pam.so in openvpn-2.4.10, but the plugin has evolved through openvpn-2.5.1. The plugin in versions 2.5.1 and 2.5.5 [current] are identical.

The behavior reported by several here is that of a relatively new client, used with static-challenge against an older server version. When static-challenge is used, the client is supposed to base-64 encode password and response, and send that to the server as part of the auth request. [The client doesn't know what version of software is run at server-side. Encoding appears to be non-optional in that case - probably for good reason.]

Server versions before 2.4.10 make no attempt to base64 decode the password:response values [the split_scrv1_password() function is absent]. The result is that the password:response is sent to PAM (or whatever is authenticating) as: SCRV1:base64-encoded-password:base64-encoded-response. The system receiving that doesn't necessarily expect the encoding, so authentication fails.

Server versions 2.4.10 and newer will check the value to see if it needs to be split and decoded, then attempt to do so. I haven't tested each of these versions, but the diff for 2.4.10 and 2.5.5 shows them to be functionally equivalent [error handling has evolved].

I have tested openvpn-2.5.1 on Debian and see that it now properly splits and decodes the password before delivering it to PAM. The response is split and probably decoded, but it isn't sent to PAM in the way I had hoped. [My RADIUS wants password and response as: passwordresponse I have no options on that side.] I'm not sure I can get what is wanted using static-challenge. If my clients can accept concatenation in the password field, instead of static-challenge, this is no issue.

Hopefully, this will help someone else. The thing to do is upgrade if you can [depends partly on platform and decision to use packages or other means]. If you need a second factor normally requested via static-challenge, an option is to concatenate in the password field instead.

User avatar
TinCanTech
Forum Team
Posts: 10692
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN sends encoded password with extrenious info in env

Post by TinCanTech » Wed Jan 26, 2022 7:05 pm

I added some info here: viewtopic.php?f=4&t=33633#p104559

dorr13
OpenVpn Newbie
Posts: 12
Joined: Fri Jan 07, 2022 12:44 am

Re: OpenVPN sends encoded password with extrenious info in env

Post by dorr13 » Thu Jan 27, 2022 9:32 pm

I mostly agree with kitsune1, but don't understand the part about prompts used and requisite PAM configuration.

The poster is using OpenVPN 2.4.4 though, which doesn't have the split_scrv1_password() function in openvpn-plugin-auth-pam.so, so it isn't going to do the base64 decode. The problem is, doing decode via script and attempting to re-assert the password doesn't seem to affect the OpenVPN password environment variable . The poster should upgrade to 2.4.10 or newer to get decode functionality in the plugin.

I have tested custom scripts in combination with openvpn-plugin-auth-pam.so and found that regardless of ordering, the custom script has no effect on what is sent to the plugin. Custom scripts may be useful for other purposes, or may be used instead of the plugin (seems like a bad idea though).

In my case, I have used:
Server Config

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn_radius_totp login USERNAME password PASSWORD pin OTP"

# Many examples leave off everything after openvpn_radius_totp in the above, and variations I have tried all behave the same way. It is likely I am doing something wrong though.

In the above, openvpn_radius_totp refers to /etc/pam.d/openvpn_radius_totp, which contains:
auth required /usr/lib/x86_64-linux-gnu/security/pam_radius_auth.so
account required pam_permit.so

It is possible to use a pam-script [on Debian: apt-get install libpam-script] to verify what is being sent to PAM, but this would ideally be for troubleshooting non-production systems, and is not part of the OpenVPN configuration. A variation using pam-script (troubleshooting only):
auth required pam_exec.so expose_authtok debug log=/var/log/openvpn/test_out.log /usr/sbin/pam_openvpn_logger
auth required /usr/lib/x86_64-linux-gnu/security/pam_radius_auth.so
account required pam_permit.so

In the above, /usr/sbin/pam_openvpn_logger might include:
#!/usr/bin/env bash

read password

logfile="/var/log/openvpn/test_out.log"

echo "$(date +%Y%m%d-%H%M%S)" >> $logfile
echo "username: $PAM_USER" >> $logfile
echo "password: $password" >> $logfile

exit 0

# When testing using a method like this (above), obviously don't use real credentials
# I don't know how to observe the pin using this method

To direct RADIUS queries, I have libpam-radius-auth [Debian: apt-get install libpam-radius-auth], which creates /etc/pam_radius_auth.conf, containing:
<radius-server-address> <shared_secret> <timeout>

Static-challenge configuration for the client used for testing:
client

auth-user-pass
static-challenge pin 1

# Many variations on the static challenge have been posted. It doesn't seem like the phrasing matters.

In the Decode/separate link, the comment "the exact format depends on his pam set up and prompts used." I have seen many non-working variations posted, but not a coherent working example of OpenVPN authentication using static-challenge via PAM RADIUS that includes working PAM stack. I am not sure I understand the pin dialog or the relationship between prompts used and required PAM configuration. Do you have a link for that?

Mostly related to Google Authenticator, but very similar:
https://github.com/google/google-authen ... issues/112

Post Reply