Page 1 of 1
pam authentication
Posted: Sun Apr 30, 2017 7:43 am
by fthomas
Dear all,
this might be off topic, since strictly speaking it is not about the openvpn server but rather how the authentication should happen via PAM.
The reason I'm posting here is because I've build the server myself (2.4.1) rather than using the one that is packages with my OS (Ubuntu Xenial)
In a nutshell :
My OS : Ubuntu Xenial x86_64
Open VPN 2.4.1 I've configured it with : ./configure --prefix=/opt/openvpn-2.4.1 --enable-systemd --enable-plugin-auth-pam
My server.conf :
Code: Select all
port 1194
proto udp4
dev tun
ca /opt/openvpn-2.4.1/etc/ssl/ca.cer
cert /opt/openvpn-2.4.1/etc/ssl/inter.cer
key /opt/openvpn-2.4.1/etc/ssl/inter.prv.key # This file should be kept secret
dh /opt/openvpn/etc/ssl/dh2048.pem
server 10.18.18.0 255.255.255.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-128-CBC
persist-key
persist-tun
comp-lzo
explicit-exit-notify 1
user vpnd
group nogroup
plugin /opt/openvpn/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
verb 256
status /opt/openvpn/log/status.log
log /opt/openvpn/log/server.log
My openvpn PAM config (/etc/pam.d/openvpn)
Code: Select all
auth required pam_permit.so
account required pam_permit.so
Now, of course I understand that that there is not much authentication involved in this setup but the weird this that even like this, when I try to connect to the server I get "AUTH: Received control message: AUTH_FAILED", so I must be doing something fundamentally wrong.
My connection command :
Code: Select all
sudo /usr/sbin/openvpn --verb 3 --remote myserv --comp-lzo --dev tun --auth-user-pass --cipher AES-128-CBC --client --ca /home/thf/temp/certs/ca.cer
Of course I've also tried with pam_uinx but I got the same result (even after providing a username & password that works for ssh
Can anybody give me a hint ?
Re: pam authentication
Posted: Sun Apr 30, 2017 9:28 am
by TiTex
fthomas wrote:
Code: Select all
auth required pam_permit.so
account required pam_permit.so
why would you want to do that ?
in any case , you'll need to include the
session group too , and even so i'm not sure it will work with openvpn
Code: Select all
auth required pam_permit.so
account required pam_permit.so
session required pam_permit.so
Re: pam authentication
Posted: Sun Apr 30, 2017 11:21 am
by fthomas
Indeed you got a point, not much authentication in that, I just wanted to have a baseline environment working. From there I intend to work my way up to LDAP authentication.
Anyway, the point is that even with this setup (all service with pam_permit) I still get " AUTH_FAILED".
Shouldn't this be working (no matter what username & password) I provide ?
Alternatively can you suggest the simplest pam setup based on pam_unix (so that username/password would be taken into account) ?
Re: pam authentication
Posted: Sun Apr 30, 2017 12:11 pm
by TiTex
you need a valid user account , you can use the 'login' service/file as a template if you want PAM authentication
you can also set up PAM to get user accounts from LDAP and still use the openvpn pam module for authentication , but first i suggest reading more about PAM , and then check out ubuntu's documentation about setting up LDAP authentication with pam modules , and adapt it to the openvpn service.
Re: pam authentication
Posted: Sun Apr 30, 2017 1:57 pm
by TiTex
It turns out that you don't need the session group or a valid username for the pam_permit with openvpn , that's strange
anyhow it seems you're doing something wrong
configs used with centos 7 (openvpn 2.4.1) server and windows client
server config
Code: Select all
dev tun
proto udp
port 1194
topology subnet
server 10.11.11.0 255.255.255.0
keepalive 10 60
persist-tun
persist-key
log-append server.log
verb 7
ca ca.crt
cert server.crt
key server.key
dh dh.pem
verify-client-cert none
username-as-common-name
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
Code: Select all
auth required pam_permit.so
account required pam_permit.so
Code: Select all
client
dev tun
proto udp
remote remote-ip 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-user-pass
ca ca.crt
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: sdfds
PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
TLS: Username/Password authentication succeeded for username 'sdfds' [CN SET]
Re: pam authentication
Posted: Mon May 01, 2017 8:55 am
by fthomas
Dears,
I've noticed that if I start the server from the command line (as opposed to systemd) the authentication does work.
Then I found this :
https://bugs.launchpad.net/ubuntu/+sour ... ug/1511524
Following what's described there, I've added CAP_AUDIT_WRITE to the CapabilityBoundingSet in the systemd unit file, and voila... I can authenticate
Re: pam authentication
Posted: Mon May 01, 2017 2:58 pm
by TiTex
i used systemd to start the service
although the unit files differ between rhel based distros and debian based ones