[SOLVED] Problem with Auth-user

[rosol]

Hi,
After added auth0user-pass-verify, plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth i have problem with connection to server. Below logs and configs.

Server side:
dev tun
tun-mtu 1500
local 192.168.2.5
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "redirect-gateway"
push "dhcp-option DNS 192.168.2.1"
push "dhcp-option WINS 192.168.2.1"
push "route 192.168.2.0 255.255.255.0"
push "route 10.8.0.0 255.255.255.0"
port 5050
;user nobody
;group nogroup
comp-lzo
keepalive 10 120
inactive 3600
tls-server
verb 5
proto tcp
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
;crl-verify /etc/ssl/crl.pem
plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
#username-as-common-name
auth-user-pass-verify /etc/openvpn/vpncheckCN-user.sh via-env
dh /etc/openvpn/keys/dh1024.pem
client-to-client
client-config-dir ccd
ccd-exclusive
script-security 3
tls-verify "/etc/openvpn/vpncheckCN-cert.sh /etc/openvpn/userlist.txt"
status /var/log/openvpn-status.log
log /var/log/openvpn.log
ns-cert-type client
persist-key
persist-tun
Client side:

client
;dev tap
dev tun
;dev-node MyTap
proto tcp
;proto udp
remote xxx.xxx.xxx.xxx 5050
resolv-retry infinite
nobind
;user nobody
;group nobody
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
mute-replay-warnings
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
;tls-auth ta.key 1
;log openvpn.log
;log-append "C:\\Program Files (x86)\\OpenVPN\\log\\openvpn.log"
;cipher x
comp-lzo
verb 4
;mute 20
keepalive 10 120
tls-client
auth-user-pass

Thankful for help.

[janjust]

you're using 3 methods to filter out users:

plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth
auth-user-pass-verify /etc/openvpn/vpncheckCN-user.sh via-env
tls-verify "/etc/openvpn/vpncheckCN-cert.sh /etc/openvpn/userlist.txt"

how are you sure it's the openvpn-auth-pam that is failing? if it is, then the server log should show it (with 'verb 5') and the system messages (/var/log/messages or /var/log/daemon) should also show something.

[rosol]

From Auth.log

May 15 08:36:29 Andromeda openvpn[13941]: pam_unix(common-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=rosol
May 15 08:36:45 Andromeda openvpn[13941]: pam_unix(common-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=rosol
May 15 08:37:01 Andromeda openvpn[13941]: pam_unix(common-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=rosol
May 15 08:49:28 Andromeda su[18111]: pam_unix(su:session): session closed for user root
From openvpn.log:

WRWRWRWRWWWWRWRWWWRWRWRWRWWRWRWRRRRWRWRWRAUTH-PAM: BACKGROUND: received command code: 0
168 AUTH-PAM: BACKGROUND: USER: rosol
169 AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
170 AUTH-PAM: BACKGROUND: user 'rosol' failed to authenticate: Authentication failure
171 Wed May 15 08:37:03 2013 us=134356 31.61.16.150:49258 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
172 Wed May 15 08:37:03 2013 us=134380 31.61.16.150:49258 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
173 Wed May 15 08:37:03 2013 us=136110 31.61.16.150:49258 TLS Auth Error: Auth Username/Password verification failed for peer
174 WWWRRRWed May 15 08:37:03 2013 us=792661 31.61.16.150:49258 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
175 Wed May 15 08:37:03 2013 us=792694 31.61.16.150:49258 [rosol] Peer Connection Initiated with [AF_INET]31.61.16.150:49258
176 RWed May 15 08:37:06 2013 us=276648 31.61.16.150:49258 PUSH: Received control message: 'PUSH_REQUEST'
177 Wed May 15 08:37:06 2013 us=276669 31.61.16.150:49258 Delayed exit in 5 seconds
178 Wed May 15 08:37:06 2013 us=276687 31.61.16.150:49258 SENT CONTROL [rosol]: 'AUTH_FAILED' (status=1)
179 WWWed May 15 08:37:06 2013 us=730358 31.61.16.150:49258 Connection reset, restarting [0]
180 Wed May 15 08:37:06 2013 us=730387 31.61.16.150:49258 SIGUSR1[soft,connection-reset] received, client-instance restarting
181 Wed May 15 08:37:06 2013 us=730484 TCP/UDP: Closing socket

[rosol]

I think this problem is insoluble...

[janjust]

these log lines

172 Wed May 15 08:37:03 2013 us=134380 31.61.16.150:49258 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
173 Wed May 15 08:37:03 2013 us=136110 31.61.16.150:49258 TLS Auth Error: Auth Username/Password verification failed for peer

say that the username+password combination do not match - which pam config file are you using?

[rosol]

common-auth:

auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so

[janjust]

so it seems you're authenticating against the system password database - is this correct? if so, are you passing the right username+password?

[rosol]

User exist in system so its correctly i think. Everytime i login on this account so password must be fine.

[janjust]

try changing the server config line

plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth

to

Code: Select all

plugin /usr/lib/openvpn/openvpn-auth-pam.so common-auth login USERNAME password PASSWORD

This instructs the auth-pam module to look for the pam responses 'login' and 'password'

[rosol]

Failed :/
openvpn.log:

20 WRWRWRWRWWWWRWRWWWRWRWRWRWRWRWRWRRRRWRWRWRAUTH-PAM: BACKGROUND: received command code: 0
21 AUTH-PAM: BACKGROUND: USER: rosol
22 AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
23 AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME'
24 AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
25 AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
26 Wed May 15 14:10:33 2013 us=25365 31.61.16.150:50476 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS _VERIFY status=0
27 Wed May 15 14:10:33 2013 us=26883 31.61.16.150:50476 TLS Auth Error: Auth Username/Password verification failed for peer
28 WWWRRWed May 15 14:10:33 2013 us=650594 31.61.16.150:50476 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bi t RSA
29 Wed May 15 14:10:33 2013 us=650630 31.61.16.150:50476 [rosol] Peer Connection Initiated with [AF_INET]31.61.16.150:50476
30 RWed May 15 14:10:36 2013 us=104217 31.61.16.150:50476 PUSH: Received control message: 'PUSH_REQUEST'
31 Wed May 15 14:10:36 2013 us=104240 31.61.16.150:50476 Delayed exit in 5 seconds
32 Wed May 15 14:10:36 2013 us=104258 31.61.16.150:50476 SENT CONTROL [rosol]: 'AUTH_FAILED' (status=1)
33 WWWed May 15 14:10:36 2013 us=572184 31.61.16.150:50476 Connection reset, restarting [0]
34 Wed May 15 14:10:36 2013 us=572213 31.61.16.150:50476 SIGUSR1[soft,connection-reset] received, client-instance restarting
35 Wed May 15 14:10:36 2013 us=572334 TCP/UDP: Closing socket

[rosol]

What's mean: "WRWRWRWRWWWWRWRWWWRWRWRWRWRWRWRWRRRRWRWRWR" ?
It is error ?

[janjust]

the "RWRW" lines indicate activity : R=Read W=Write

your authentication step is still blocking somewhere:

27 Wed May 15 14:10:33 2013 us=26883 31.61.16.150:50476 TLS Auth Error: Auth Username/Password verification failed for peer

though this is a slightly different error than before; comment out the other verifications steps (tls-verify, client-connect) and retry.

[rosol]

You're right, this line below causes problem:
auth-user-pass-verify /etc/openvpn/vpncheckCN-user.sh via-env.
When i change script to "auth-pam.pl" i receive log below:

373 WRWRWRWRWWWWRWRWWWRWRWRWRWRWRWRWRRRRWRWRWRCan't locate Authen/PAM.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl) a t /etc/openvpn/auth-pam.pl line 30.
374 BEGIN failed--compilation aborted at /etc/openvpn/auth-pam.pl line 30.
375 Wed May 15 15:58:21 2013 us=830746 31.61.16.150:50925 TLS Auth Error: Auth Username/Password verification failed for peer
376 WWWRRWed May 15 15:58:22 2013 us=430960 31.61.16.150:50925 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bi t RSA
377 Wed May 15 15:58:22 2013 us=430998 31.61.16.150:50925 [rosol] Peer Connection Initiated with [AF_INET]31.61.16.150:50925
378 RWed May 15 15:58:25 2013 us=43220 31.61.16.150:50925 PUSH: Received control message: 'PUSH_REQUEST'
379 Wed May 15 15:58:25 2013 us=43236 31.61.16.150:50925 Delayed exit in 5 seconds
380 Wed May 15 15:58:25 2013 us=43253 31.61.16.150:50925 SENT CONTROL [rosol]: 'AUTH_FAILED' (status=1)
381 WWWed May 15 15:58:25 2013 us=470759 31.61.16.150:50925 Connection reset, restarting [0]
382 Wed May 15 15:58:25 2013 us=470788 31.61.16.150:50925 SIGUSR1[soft,connection-reset] received, client-instance restarting
383 Wed May 15 15:58:25 2013 us=470887 TCP/UDP: Closing socket

I'm confused.

[rosol]

Ok I downloaded libauthen-simple-pam-perl pkg and this problem:
373 WRWRWRWRWWWWRWRWWWRWRWRWRWRWRWRWRRRRWRWRWRCan't locate Authen/PAM.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl) a t /etc/openvpn/auth-pam.pl line 30.
374 BEGIN failed--compilation aborted at /etc/openvpn/auth-pam.pl line 30.
disappeared. But still have:
20 WRWRWRWRWWWWRWRWWWRWRWRWRWRWRWRWRRRRWRWRWRAUTH-PAM: BACKGROUND: received command code: 0
21 AUTH-PAM: BACKGROUND: USER: rosol
22 AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
23 Thu May 16 08:35:54 2013 us=80632 37.225.126.164:49262 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PA SS_VERIFY status=0
24 No username/password file specified on command line
25 Thu May 16 08:35:54 2013 us=100359 37.225.126.164:49262 TLS Auth Error: Auth Username/Password verification failed for peer
26 WWWRRThu May 16 08:35:54 2013 us=557900 37.225.126.164:49262 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
27 Thu May 16 08:35:54 2013 us=557938 37.225.126.164:49262 [rosol] Peer Connection Initiated with [AF_INET]37.225.126.164:49262
28 RThu May 16 08:35:56 2013 us=850875 37.225.126.164:49262 PUSH: Received control message: 'PUSH_REQUEST'
29 Thu May 16 08:35:56 2013 us=850893 37.225.126.164:49262 Delayed exit in 5 seconds
30 Thu May 16 08:35:56 2013 us=850912 37.225.126.164:49262 SENT CONTROL [rosol]: 'AUTH_FAILED' (status=1)
31 WWThu May 16 08:35:57 2013 us=246299 37.225.126.164:49262 Connection reset, restarting [0]
32 Thu May 16 08:35:57 2013 us=246322 37.225.126.164:49262 SIGUSR1[soft,connection-reset] received, client-instance restarting
33 Thu May 16 08:35:57 2013 us=246410 TCP/UDP: Closing socket

[rosol]

This line:
No username/password file specified on command line
means that i need specified file with username and password? nonsense

[rosol]

problem was here:
auth-user-pass-verify /etc/openvpn/auth-pam.pl via-file
I exchanged via-env on via-file and it work .
Thank You janjust for help. Close topic