Can't get pam authentication to work

[jdh28]

I'm running openvpn 2.4.0 on Debian Stretch. Ultimately I want to authenticate against Active Directory using Kerberos, but as that wasn't working, I disabled pam_krb5 and I'm just attempting to authenticate with a local user.

Currently, I get the error:

Code: Select all

AUTH-PAM: BACKGROUND: user 'john' failed to authenticate: System error
10.21.43.233:50183 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
10.21.43.233:50183 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so
10.21.43.233:50183 TLS Auth Error: Auth Username/Password verification failed for peer

In the auth.log, I see

Code: Select all

openvpn: PAM audit_log_acct_message() failed: Operation not permitted

My server configuration is:

View OriginalServer Config

1

port 1194

2

3

proto udp

4

5

dev tun0

6

7

ca ca.crt

8

9

cert server.crt

10

11

key server.key

12

13

dh dh1024.pem

14

15

server 10.21.44.0 255.255.255.0

16

17

ifconfig-pool-persist /var/local/openvpn/ipp.txt

18

19

push "route 10.21.42.0 255.255.255.0"

20

21

push "route 93.93.129.77 255.255.255.255"

22

23

push "route 46.235.225.158 255.255.255.255"

24

25

route 10.21.45.0 255.255.255.0

26

27

push "dhcp-option DNS 10.21.44.1"

28

29

push "dhcp-option DOMAIN ctg.local"

30

31

duplicate-cn

32

33

push "ping-restart 0"

34

35

comp-lzo

36

37

user openvpn

38

39

group nogroup

40

41

persist-key

42

43

persist-tun

44

45

status /var/log/openvpn-status.log

46

47

log-append /var/log/openvpn.log

48

49

verb 3

50

51

crl-verify crl.pem

52

1

port 1194

2

proto udp

3

dev tun0

4

ca ca.crt

5

cert server.crt

6

key server.key

7

dh dh1024.pem

8

server 10.21.44.0 255.255.255.0

9

ifconfig-pool-persist /var/local/openvpn/ipp.txt

10

push "route 10.21.42.0 255.255.255.0"

11

push "route 93.93.129.77 255.255.255.255"

12

push "route 46.235.225.158 255.255.255.255"

13

route 10.21.45.0 255.255.255.0

14

push "dhcp-option DNS 10.21.44.1"

15

push "dhcp-option DOMAIN ctg.local"

16

duplicate-cn

17

push "ping-restart 0"

18

comp-lzo

19

user openvpn

20

group nogroup

21

persist-key

22

persist-tun

23

status /var/log/openvpn-status.log

24

log-append /var/log/openvpn.log

25

verb 3

26

crl-verify crl.pem

And /etc/pam.d/openvpn looks like this:

View OriginalPAM config

1

auth required pam_unix.so shadow nodelay debug

2

1

auth required pam_unix.so shadow nodelay debug

I used sasl2 to test the PAM configuration, and it seems to be working correctly for the local user:

Code: Select all

# saslauthd -d -a pam -m /var/run/saslauthd &
# testsaslauthd -u john -p ******** -s openvpn

saslauthd[3357] :released accept lock
saslauthd[3367] :acquired accept lock
saslauthd[3357] :auth success: [user=john] [service=openvpn] [realm=] [mech=pam]
saslauthd[3357] :response: OK
0: OK "Success."

It seems that the 'Operation not permitted' error is then being reported by openvpn as a 'System error', but I don't know what I can do next to debug this any further.

[TinCanTech]

Try removing these from your server (to test) :

Code: Select all

user openvpn
group nogroup

[jdh28]

Just tried removing the user and group lines, but still no joy.

[TinCanTech]

And restart the server (just saying to make sure)

[jdh28]

Hi,

It's always good to make sure! I did restart it and to make sure I ran 'ps' to check that it was now running under root, which it was.

This morning, I ran openvpn manually under strace to try and shed more light on where it was going wrong, and lo and behold it worked! It turns out that the Debian systemd configuration is too restrictive. It has:

Code: Select all

CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE

By doing a binary chop on the full set of capabilities, I've been able to determine that CAP_AUDIT_WRITE is missing. Adding this enables openvpn to work. I'll file a bug with Debian.

Thanks for your help,
John

[jdh28]

This issue is that Debian and Openvpn both ship systemd unit definitions, and in fact there is a bug to that effect: https://bugs.debian.org/cgi-bin/bugrepo ... bug=866523. I was using the Openvpn one, but the Debian one does include the necessary additional capability.

[dazo]

Thanks for a great debugging! Yes, it is quite likely CAP_AUDIT_WRITE is lacking. I will look into that.

Please file this issue in the OpenVPN Trac instance, we try to ensure all distributions ship our openvpn-server@.service and openvpn-client@.service unit files unmodified. This is to ensure the behaviour is identical across all Linux systemd based distributions - something which is far more easy with systemd unit files than earlier. And feel free to assign it to me.

Just log into https://community.openvpn.net/openvpn using the same username/password as you use here on the forums and you can file a new bug.

[jdh28]

Bug already entered: https://community.openvpn.net/openvpn/ticket/918.

[alefello]

Hello everybody

Sorry for necro posting but I think I don't have permissions to open a new topic, and my problem is very similar to this.

I've a VPN server with Debian 11 and OpenVPN where PAM authentication works only if I start OpenVPN server manually from root account. If I leave it start automatically from system services (I think is systemd this way) the VPN server starts but authentication from client always fails. The client behavior in this case is weird, it doesn't say authentication failed or wrong password or other, but it continues to write a message about "timeout" or "waiting" (I don't remember, I've to check again) but anyway it doesn't bring VPN up.
I already checked the systemd configuration and CAP_AUDIT_WRITE is already there.
What else could it be the problem?
Thank you

PS: in these days I've problems with openvpn forum; ofwn it gave "too many connections to database" error; does it happen to everybody?