not working with pam_google_authenticator

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Florin Andrei
OpenVpn Newbie
Posts: 6
Joined: Thu Sep 04, 2014 12:53 am
Location: California
Contact:
Contact Florin Andrei

not working with pam_google_authenticator

Post by Florin Andrei » Wed Apr 11, 2018 10:01 pm

Using openvpn 2.3.x and 2.4.x. Client is macOS 10.13 (either Tunnelblick or Viscosity). Server is Ubuntu 16.04.

Server config:

server.conf

plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn


/etc/pam.d/openvpn:

Code: Select all

auth required /usr/local/lib/security/pam_google_authenticator.so secret=/etc/openvpn/google-auth-users/${USER} user=nobody echo_verification_code debug forward_pass
auth    required    pam_radius_auth.so debug use_first_pass
account    required    pam_permit.so debug
Client:

Code: Select all

auth-user-pass
auth-retry interact
pamtester works just fine. I enter the Radius password at first ("1234"), and append to it the 6-digit Google Auth code.

Code: Select all

# pamtester openvpn florin authenticate
Password & verification code: 1234017296
pamtester: successfully authenticated

Code: Select all

Apr 11 14:52:48 vpn openvpn(pam_google_authenticator)[27348]: debug: start of google_authenticator for "florin"
Apr 11 14:52:48 vpn openvpn(pam_google_authenticator)[27348]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Apr 11 14:52:48 vpn openvpn(pam_google_authenticator)[27348]: debug: "/etc/openvpn/google-auth-users/florin" read
Apr 11 14:52:48 vpn openvpn(pam_google_authenticator)[27348]: debug: shared secret in "/etc/openvpn/google-auth-users/florin" processed
Apr 11 14:53:05 vpn openvpn(pam_google_authenticator)[27348]: debug: no scratch code used from "/etc/openvpn/google-auth-users/florin"
Apr 11 14:53:05 vpn openvpn(pam_google_authenticator)[27348]: Accepted google_authenticator for florin
Apr 11 14:53:05 vpn openvpn(pam_google_authenticator)[27348]: debug: "/etc/openvpn/google-auth-users/florin" written
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: Got user name florin
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: Got password 1234
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: Sending RADIUS request code 1
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1088232320.
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: Got RADIUS response code 2
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: authentication succeeded
But with OpenVPN / Tunnelblick (or Viscosity) it never works. I get the user / pass prompt. I enter the username. For the password I do the same: Radius password appended with the Google Auth code. It fails every time.

I've even tried to launch openvpn in the CLI on the client. I get the same user / pass prompts. It fails the same way. So the problem is not with Tunnelblick or Viscosity.

Code: Select all

Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: debug: start of google_authenticator for "florin"
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: debug: "/etc/openvpn/google-auth-users/florin" read
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: debug: shared secret in "/etc/openvpn/google-auth-users/florin" processed
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: Invalid verification code for florin
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: debug: "/etc/openvpn/google-auth-users/florin" written
Apr 11 13:00:41 vpn openvpn[22925]: pam_radius_auth: Got user name florin
Apr 11 13:00:41 vpn openvpn[22925]: pam_radius_auth: authentication failed
OpenVPN only works if I disable Google Auth and I only leave Radius enabled.

I thought it's a problem with pam_google_authenticator, but OTOH this module works fine with pamtester on the command line.

There's something different with the way passwords are handled in OpenVPN that interacts badly with PAM.

Related discussion:

https://github.com/google/google-authen ... /issues/95

I'm out of ideas. Any suggestion is greatly appreciated.
Top
Florin Andrei
OpenVpn Newbie
Posts: 6
Joined: Thu Sep 04, 2014 12:53 am
Location: California
Contact:
Contact Florin Andrei

Re: not working with pam_google_authenticator

Post by Florin Andrei » Tue May 15, 2018 1:42 am

Solution: In the server config file, after openvpn-plugin-auth-pam.so it's not enough to simply indicate the service name. You also have to tell it how to answer queries from the PAM stack. This works for me:

Code: Select all

plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD"
Top
yhs
OpenVpn Newbie
Posts: 1
Joined: Mon Sep 30, 2019 8:29 pm

Re: not working with pam_google_authenticator

Post by yhs » Mon Sep 30, 2019 8:31 pm

I had to use lib64 instead of lib and also :

Code: Select all


audit2allow -a -M allowopenvpn1
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i allowopenvpn1.pp

audit2allow -a


#============= openvpn_t ==============

#!!!! This avc is allowed in the current policy
allow openvpn_t auth_home_t:file { open unlink };

#!!!! This avc is allowed in the current policy
allow openvpn_t user_home_dir_t:dir { add_name remove_name write };

#!!!! This avc is allowed in the current policy
allow openvpn_t user_home_dir_t:file { create getattr open read rename setattr write };

#!!!! This avc is allowed in the current policy
allow openvpn_t user_home_t:file open;
Top
Post Reply

Return to “Server Administration”