Server config:
server.conf
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
/etc/pam.d/openvpn:
Code: Select all
auth required /usr/local/lib/security/pam_google_authenticator.so secret=/etc/openvpn/google-auth-users/${USER} user=nobody echo_verification_code debug forward_pass
auth required pam_radius_auth.so debug use_first_pass
account required pam_permit.so debug
Code: Select all
auth-user-pass
auth-retry interact
Code: Select all
# pamtester openvpn florin authenticate
Password & verification code: 1234017296
pamtester: successfully authenticated
Code: Select all
Apr 11 14:52:48 vpn openvpn(pam_google_authenticator)[27348]: debug: start of google_authenticator for "florin"
Apr 11 14:52:48 vpn openvpn(pam_google_authenticator)[27348]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Apr 11 14:52:48 vpn openvpn(pam_google_authenticator)[27348]: debug: "/etc/openvpn/google-auth-users/florin" read
Apr 11 14:52:48 vpn openvpn(pam_google_authenticator)[27348]: debug: shared secret in "/etc/openvpn/google-auth-users/florin" processed
Apr 11 14:53:05 vpn openvpn(pam_google_authenticator)[27348]: debug: no scratch code used from "/etc/openvpn/google-auth-users/florin"
Apr 11 14:53:05 vpn openvpn(pam_google_authenticator)[27348]: Accepted google_authenticator for florin
Apr 11 14:53:05 vpn openvpn(pam_google_authenticator)[27348]: debug: "/etc/openvpn/google-auth-users/florin" written
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: Got user name florin
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: Got password 1234
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: Sending RADIUS request code 1
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned -1088232320.
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: Got RADIUS response code 2
Apr 11 14:53:05 vpn pamtester[27348]: pam_radius_auth: authentication succeeded
I've even tried to launch openvpn in the CLI on the client. I get the same user / pass prompts. It fails the same way. So the problem is not with Tunnelblick or Viscosity.
Code: Select all
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: debug: start of google_authenticator for "florin"
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: debug: "/etc/openvpn/google-auth-users/florin" read
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: debug: shared secret in "/etc/openvpn/google-auth-users/florin" processed
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: Invalid verification code for florin
Apr 11 13:00:41 vpn openvpn(pam_google_authenticator)[22925]: debug: "/etc/openvpn/google-auth-users/florin" written
Apr 11 13:00:41 vpn openvpn[22925]: pam_radius_auth: Got user name florin
Apr 11 13:00:41 vpn openvpn[22925]: pam_radius_auth: authentication failed
I thought it's a problem with pam_google_authenticator, but OTOH this module works fine with pamtester on the command line.
There's something different with the way passwords are handled in OpenVPN that interacts badly with PAM.
Related discussion:
https://github.com/google/google-authen ... /issues/95
I'm out of ideas. Any suggestion is greatly appreciated.