google_auth_pam with static-challenge not working
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
google_auth_pam with static-challenge not working
Hello All!
I am running Centos 7 with Openvpn:
OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
I have configured /etc/pam.d/openvpn:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required /lib64/security/pam_google_authenticator.so authtok_prompt=pin
Also server.conf:
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login: USERNAME Password: PASSWORD pin OTP"
I curious if this version of openvpn community supports google authenticator or do I need to compile it from source. Does anybody know or have better insight?
I am running Centos 7 with Openvpn:
OpenVPN 2.4.6 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 26 2018
I have configured /etc/pam.d/openvpn:
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth required /lib64/security/pam_google_authenticator.so authtok_prompt=pin
Also server.conf:
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login: USERNAME Password: PASSWORD pin OTP"
I curious if this version of openvpn community supports google authenticator or do I need to compile it from source. Does anybody know or have better insight?
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
These are the errors I get in /var/log/secure:
Dec 2 21:09:48 ip-172-10-2-190 openvpn(pam_google_authenticator)[10712]: debug: start of google_authenticator for "user"
Dec 2 21:09:48 ip-172-10-2-190 openvpn(pam_google_authenticator)[10712]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Dec 2 21:09:48 ip-172-10-2-190 openvpn(pam_google_authenticator)[10712]: debug: "/home/user/.google_authenticator" read
Dec 2 21:09:48 ip-172-10-2-190 openvpn(pam_google_authenticator)[10712]: debug: shared secret in "/home/user/.google_authenticator" processed
Dec 2 21:09:48 ip-172-10-2-190 openvpn(pam_google_authenticator)[10712]: Invalid verification code for user
Dec 2 21:09:48 ip-172-10-2-190 openvpn(pam_google_authenticator)[10712]: debug: start of google_authenticator for "user"
Dec 2 21:09:48 ip-172-10-2-190 openvpn(pam_google_authenticator)[10712]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Dec 2 21:09:48 ip-172-10-2-190 openvpn(pam_google_authenticator)[10712]: debug: "/home/user/.google_authenticator" read
Dec 2 21:09:48 ip-172-10-2-190 openvpn(pam_google_authenticator)[10712]: debug: shared secret in "/home/user/.google_authenticator" processed
Dec 2 21:09:48 ip-172-10-2-190 openvpn(pam_google_authenticator)[10712]: Invalid verification code for user
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
On the client which is viscosity I have:
static-challenge "Google Authenticator Code:" 1
static-challenge "Google Authenticator Code:" 1
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
Also to note I have OpenVPN working with viscosity fine with this config:
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.x.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
reneg-sec 36000
#push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 172.x.x.x"
# Some Pushed Routes Here
push "route 172.x.0.0 255.255.0.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
log-append /var/log/openvpn.log
Server Config
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.x.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
reneg-sec 36000
#push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 172.x.x.x"
# Some Pushed Routes Here
push "route 172.x.0.0 255.255.0.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
log-append /var/log/openvpn.log
Last edited by dkudos on Tue Dec 03, 2019 2:05 pm, edited 1 time in total.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
The working PAM config /etc/pam.d/openvpn:
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required pam_google_authenticator.so forward_pass
auth include system-auth
account include system-auth
password include system-auth
PAM Config
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth required pam_google_authenticator.so forward_pass
auth include system-auth
account include system-auth
password include system-auth
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
Then in Viscosity I am using this Client config for a working system:
remote x.x.x.x 1194 udp
nobind
dev tun
persist-tun
persist-key
pull
auth-user-pass
tls-client
ca ca.crt
cert cert.crt
key key.key
remote-cert-tls server
tls-auth ta.key 1
resolv-retry infinite
setenv opt block-outside-dns
rcvbuf 0
cipher AES-256-CBC
auth SHA512
sndbuf 0
Viscosity Config
remote x.x.x.x 1194 udp
nobind
dev tun
persist-tun
persist-key
pull
auth-user-pass
tls-client
ca ca.crt
cert cert.crt
key key.key
remote-cert-tls server
tls-auth ta.key 1
resolv-retry infinite
setenv opt block-outside-dns
rcvbuf 0
cipher AES-256-CBC
auth SHA512
sndbuf 0
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
This works in the way that the client opens and it asks you for:
USER
PASSWORD+OTP
example:
User=dude
Password=mypass123456
My problem is that I want to do this:
USER
PASSWORD
OTP
example:
User=dude
Password=mypass
Otp=123456
When I try to do the separate OTP I can config viscosity fine to ask for the OTP separately but what I think the issue lies in my PAM config /etc/pam.d/openvpn. I need your help to get the OTP separate from the PASSWORD passing correctly.
Here is what I see currently as an error when trying to do this verb4 in config FYI:
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: user
AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME'
AUTH-PAM: BACKGROUND: my_conv[0] query='pin' style=1
AUTH-PAM: BACKGROUND: name match found, query/match-string ['pin', 'pin'] = 'OTP'
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Authentication failure
Tue Dec 3 14:40:34 2019 us=757401 x.x.x.x:56947 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Dec 3 14:40:34 2019 us=757440 x.x.x.x:56947 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Tue Dec 3 14:40:34 2019 us=757487 x.x.x.x:56947 TLS Auth Error: Auth Username/Password verification failed for peer
Tue Dec 3 14:40:34 2019 us=780941 x.x.x.x:56947 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Dec 3 14:40:34 2019 us=780983 x.x.x.x:56947 [user] Peer Connection Initiated with [AF_INET]x.x.x.x:56947
Tue Dec 3 14:40:34 2019 us=784967 x.x.x.x:56947 PUSH: Received control message: 'PUSH_REQUEST'
Tue Dec 3 14:40:34 2019 us=784987 x.x.x.x:56947 Delayed exit in 5 seconds
Tue Dec 3 14:40:34 2019 us=784999 x.x.x.x:56947 SENT CONTROL [user]: 'AUTH_FAILED' (status=1)
Tue Dec 3 14:40:40 2019 us=36751 x.x.x.x:56947 SIGTERM[soft,delayed-exit] received, client-instance exiting
Here is what I am trying in configs ( I have tried quotes and no quotes around plugin group same result ):
Server config (/etc/openvpn/server.conf):
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
#plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.x.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
reneg-sec 36000
#push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 172.x.x.x"
# Some Pushed Routes Here
push "route 172.x.0.0 255.255.0.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
crl-verify crl.pem
log-append /var/log/openvpn.log
PAM config I am trying to use ( /etc/pam.d/openvpn ):
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
#auth required pam_google_authenticator.so forward_pass
auth required pam_google_authenticator.so authtok_prompt=pin debug
auth include system-auth
account include system-auth
password include system-auth
Viscosity client config I am using:
remote x.x.x.x 1194 udp
nobind
dev tun
persist-tun
persist-key
pull
auth-user-pass
tls-client
ca ca.crt
cert cert.crt
key key.key
remote-cert-tls server
tls-auth ta.key 1
resolv-retry infinite
setenv opt block-outside-dns
rcvbuf 0
cipher AES-256-CBC
auth SHA512
static-challenge "Google Authenticator Code:" 1
sndbuf 0
USER
PASSWORD+OTP
example:
User=dude
Password=mypass123456
My problem is that I want to do this:
USER
PASSWORD
OTP
example:
User=dude
Password=mypass
Otp=123456
When I try to do the separate OTP I can config viscosity fine to ask for the OTP separately but what I think the issue lies in my PAM config /etc/pam.d/openvpn. I need your help to get the OTP separate from the PASSWORD passing correctly.
Here is what I see currently as an error when trying to do this verb4 in config FYI:
Client Errors
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: user
AUTH-PAM: BACKGROUND: my_conv[0] query='login:' style=2
AUTH-PAM: BACKGROUND: name match found, query/match-string ['login:', 'login'] = 'USERNAME'
AUTH-PAM: BACKGROUND: my_conv[0] query='pin' style=1
AUTH-PAM: BACKGROUND: name match found, query/match-string ['pin', 'pin'] = 'OTP'
AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
AUTH-PAM: BACKGROUND: name match found, query/match-string ['Password: ', 'password'] = 'PASSWORD'
AUTH-PAM: BACKGROUND: user 'user' failed to authenticate: Authentication failure
Tue Dec 3 14:40:34 2019 us=757401 x.x.x.x:56947 PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Dec 3 14:40:34 2019 us=757440 x.x.x.x:56947 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so
Tue Dec 3 14:40:34 2019 us=757487 x.x.x.x:56947 TLS Auth Error: Auth Username/Password verification failed for peer
Tue Dec 3 14:40:34 2019 us=780941 x.x.x.x:56947 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Tue Dec 3 14:40:34 2019 us=780983 x.x.x.x:56947 [user] Peer Connection Initiated with [AF_INET]x.x.x.x:56947
Tue Dec 3 14:40:34 2019 us=784967 x.x.x.x:56947 PUSH: Received control message: 'PUSH_REQUEST'
Tue Dec 3 14:40:34 2019 us=784987 x.x.x.x:56947 Delayed exit in 5 seconds
Tue Dec 3 14:40:34 2019 us=784999 x.x.x.x:56947 SENT CONTROL [user]: 'AUTH_FAILED' (status=1)
Tue Dec 3 14:40:40 2019 us=36751 x.x.x.x:56947 SIGTERM[soft,delayed-exit] received, client-instance exiting
Here is what I am trying in configs ( I have tried quotes and no quotes around plugin group same result ):
Server config (/etc/openvpn/server.conf):
Server Config
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
#plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
auth SHA512
tls-auth ta.key 0
topology subnet
server 10.x.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
reneg-sec 36000
#push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 172.x.x.x"
# Some Pushed Routes Here
push "route 172.x.0.0 255.255.0.0"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 4
crl-verify crl.pem
log-append /var/log/openvpn.log
PAM config I am trying to use ( /etc/pam.d/openvpn ):
PAM Config
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
#auth required pam_google_authenticator.so forward_pass
auth required pam_google_authenticator.so authtok_prompt=pin debug
auth include system-auth
account include system-auth
password include system-auth
Viscosity client config I am using:
Viscosity Config
remote x.x.x.x 1194 udp
nobind
dev tun
persist-tun
persist-key
pull
auth-user-pass
tls-client
ca ca.crt
cert cert.crt
key key.key
remote-cert-tls server
tls-auth ta.key 1
resolv-retry infinite
setenv opt block-outside-dns
rcvbuf 0
cipher AES-256-CBC
auth SHA512
static-challenge "Google Authenticator Code:" 1
sndbuf 0
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
New Update in secure.log:
Dec 4 14:44:23 ip-172-10-2-190 openvpn(pam_google_authenticator)[13164]: Invalid verification code for user
Dec 4 14:44:23 ip-172-10-2-190 openvpn[13164]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=user
This seems to be the problem. Centos 7 and taking a static-challenge in config is an issue. Again I can config openvpn to do password+otp out of the box and that is fine. But users want to use the viscosity client and save username and pass. Then only enter OTP.
Error in Secure Log
Dec 4 14:44:23 ip-172-10-2-190 openvpn(pam_google_authenticator)[13164]: Invalid verification code for user
Dec 4 14:44:23 ip-172-10-2-190 openvpn[13164]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=user
This seems to be the problem. Centos 7 and taking a static-challenge in config is an issue. Again I can config openvpn to do password+otp out of the box and that is fine. But users want to use the viscosity client and save username and pass. Then only enter OTP.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: google_auth_pam with static-challenge not working
We do not support viscosity here.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
Thanks I understand that. I was trying the same config on openvpn client on my android phone with same result. If that makes it easier? I wanted to know if what I was asking was ok on the server side. Or has anyone done this on a Centos 7 box successfully?
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
I found the problem:
Centos 7 and other distros most likely have not built from source/master of openvpn. The auth-pam module does not even allow this functionality even in 2.4.8 as noted in README:
I will build openvpn from source/master then install google auth and try again then note here with progress.
Centos 7 and other distros most likely have not built from source/master of openvpn. The auth-pam module does not even allow this functionality even in 2.4.8 as noted in README:
I will build openvpn from source/master then install google auth and try again then note here with progress.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: google_auth_pam with static-challenge not working
Well, that was a pointless use of a BB code ..
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
I apologize yes it was.
I have solved the issue.
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
So for Centos 7 and most likely Centos 8 at the time of this writing you have to compile openvpn from source/master not release as openvpn community has not put the change in newest release yet. Mabey I did not see this info but I can not find it anywhere and may be a lack of understanding on my part.
Here is what I did for CentOS 7:
1. cloned the master branch to some working dir on your server
2. Install dependencies for build
3. In the openvpn dir that was cloned
4. make sure your config dir for openvpn is /etc/openvpn/server and put config and all in there
5. I copied the systemd file generated in my working dir under distro/systemd/openvpn-server@.service to /etc/openvpn/server/
6. Edie the openvpn-server@.service
7. I enabled service at this point while in directory my conf file was there already
8. Start server
You will still have to generate certs and setup conf before you do all this. Google authenticator can just be installed via yum and setup like normal. With my configs above and doing this I was able to get viscosity and openvpn client for android to auth like this:
USERNAME
PASSWORD
OTP
Separately so I can save my pass in viscosity and just update OTP anytime I need to login. I will make a more in depth guide and or script to do this but wanted to doc here so people did not waste time like I did trying to find why it was not working. Openvpn does not document this anywhere to my knowledge which could be wrong.
NOTE:
Systemd use is noted here for anyone that wants to know.
https://community.openvpn.net/openvpn/wiki/Systemd
Here is what I did for CentOS 7:
1. cloned the master branch to some working dir on your server
Code: Select all
yum install git
git clone https://github.com/OpenVPN/openvpn.git
Code: Select all
yum groupinstall "Development Tools"
yum install pam-devel openssl-devel lzo-devel systemd-devel
Code: Select all
autoreconf -i -v -f
./configure --enable-systemd
make
make install
5. I copied the systemd file generated in my working dir under distro/systemd/openvpn-server@.service to /etc/openvpn/server/
6. Edie the openvpn-server@.service
Code: Select all
ProtectHome=false
Code: Select all
systemctl enable openvpn-server@<nameofconffile> . leave off the .conf
Code: Select all
systemctl start openvpn-server@<nameofconffilefromabove>
USERNAME
PASSWORD
OTP
Separately so I can save my pass in viscosity and just update OTP anytime I need to login. I will make a more in depth guide and or script to do this but wanted to doc here so people did not waste time like I did trying to find why it was not working. Openvpn does not document this anywhere to my knowledge which could be wrong.
NOTE:
Systemd use is noted here for anyone that wants to know.
https://community.openvpn.net/openvpn/wiki/Systemd
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: google_auth_pam with static-challenge not working
This may be worth reporting as a bug:
https://community.openvpn.net/openvpn/newticket
https://community.openvpn.net/openvpn/newticket
-
- OpenVpn Newbie
- Posts: 13
- Joined: Sat Nov 30, 2019 9:03 pm
Re: google_auth_pam with static-challenge not working
Sounds like a plan I will add a ticket for a bug.
-
- OpenVPN User
- Posts: 34
- Joined: Wed Sep 18, 2019 10:11 am
Re: google_auth_pam with static-challenge not working
For anyone else finding this thread. Thanks to @dkudos for the build instructions. I did some further testing and found that it appears to only be the PAM module that is broken in the latest Centos 7 openvpn package (2.4.8-1.el7). With the standard release installed and configured, I just replaced the PAM plugin in /usr/lib64/openvpn/plugins with the one built from source and the challenge worked as expected. My configuration which used Active Directory authentication via LDAP and the Google Authenticator App
server
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
client
static-challenge "GA OpenVPN code:" 1
/etc/pam.d/openvpn
account sufficient pam_ldap.so
account required pam_deny.so
auth requisite /lib64/security/pam_google_authenticator.so authtok_prompt=pin secret=/etc/openvpn/google-authenticator/${USER} user=gauth
auth sufficient pam_ldap.so
auth required pam_deny.so
If you ever did open that ticket, perhaps worth noting on there that it may just be the PAM sources that need updating for the next build.
[EDIT - realised on further testing it was not validating password properly with original PAM config]
server
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
client
static-challenge "GA OpenVPN code:" 1
/etc/pam.d/openvpn
account sufficient pam_ldap.so
account required pam_deny.so
auth requisite /lib64/security/pam_google_authenticator.so authtok_prompt=pin secret=/etc/openvpn/google-authenticator/${USER} user=gauth
auth sufficient pam_ldap.so
auth required pam_deny.so
If you ever did open that ticket, perhaps worth noting on there that it may just be the PAM sources that need updating for the next build.
[EDIT - realised on further testing it was not validating password properly with original PAM config]
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sat Jul 25, 2020 10:58 am
Re: google_auth_pam with static-challenge not working
I tried following your guide but it seems I failed replicating the
"
Username
Password
OTP
"
sequence
using ubuntu server 20.04
downloaded the code from github and followed the instructions you posted, but the command systemctl start openvpn-server@server ended up failing.
did apt install openvpn and systemctl start openvpn-server@server worked.
Username
OTP
works great.
but when tried doing:
Username
password+OTP
I could also skip the password and write just the OTP.
client conf:
client
proto udp
explicit-exit-notify
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ns-cert-type server
static-challenge "Enter Authenticator Code" 1
auth-user-pass
reneg-sec 0
sndbuf 0
rcvbuf 0
auth-nocache
tls-client
my server
port 42069
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "redirect-gateway def1 bypass-dhcp"
client-config-dir /etc/openvpn/server/ccd
status /var/log/openvpn/server/status.log
plugin "/usr/lib/openvpn/openvpn-plugin-auth-pam.so" "openvpn login USERNAME password PASSWORD pin OTP"
log openvpn.log
verb 3
and the pam file is
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth required /usr/lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/etc/openvpn/server/gauth/${USER} user=root debug echo_verification_code authtok_prompt=pin forward_pass
Thank you in advance.
"
Username
Password
OTP
"
sequence
using ubuntu server 20.04
downloaded the code from github and followed the instructions you posted, but the command systemctl start openvpn-server@server ended up failing.
did apt install openvpn and systemctl start openvpn-server@server worked.
Username
OTP
works great.
but when tried doing:
Username
password+OTP
I could also skip the password and write just the OTP.
client conf:
client.ovpn
client
proto udp
explicit-exit-notify
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ns-cert-type server
static-challenge "Enter Authenticator Code" 1
auth-user-pass
reneg-sec 0
sndbuf 0
rcvbuf 0
auth-nocache
tls-client
my server
server.conf
port 42069
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "redirect-gateway def1 bypass-dhcp"
client-config-dir /etc/openvpn/server/ccd
status /var/log/openvpn/server/status.log
plugin "/usr/lib/openvpn/openvpn-plugin-auth-pam.so" "openvpn login USERNAME password PASSWORD pin OTP"
log openvpn.log
verb 3
and the pam file is
openvpn
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth required /usr/lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/etc/openvpn/server/gauth/${USER} user=root debug echo_verification_code authtok_prompt=pin forward_pass
Thank you in advance.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Tue Oct 20, 2020 5:33 pm
Re: google_auth_pam with static-challenge not working
Hi Macie,macie wrote: ↑Sat Jul 25, 2020 1:08 pmI tried following your guide but it seems I failed replicating the
"
Username
Password
OTP
"
sequence
using ubuntu server 20.04
downloaded the code from github and followed the instructions you posted, but the command systemctl start openvpn-server@server ended up failing.
did apt install openvpn and systemctl start openvpn-server@server worked.
Username
OTP
works great.
but when tried doing:
Username
password+OTP
I could also skip the password and write just the OTP.
client conf:
client.ovpn
client
proto udp
explicit-exit-notify
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ns-cert-type server
static-challenge "Enter Authenticator Code" 1
auth-user-pass
reneg-sec 0
sndbuf 0
rcvbuf 0
auth-nocache
tls-client
my server
server.conf
port 42069
proto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 208.67.220.220"
push "dhcp-option DNS 208.67.222.222"
push "redirect-gateway def1 bypass-dhcp"
client-config-dir /etc/openvpn/server/ccd
status /var/log/openvpn/server/status.log
plugin "/usr/lib/openvpn/openvpn-plugin-auth-pam.so" "openvpn login USERNAME password PASSWORD pin OTP"
log openvpn.log
verb 3
and the pam file is
openvpn
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth required /usr/lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/etc/openvpn/server/gauth/${USER} user=root debug echo_verification_code authtok_prompt=pin forward_pass
Thank you in advance.
Did you find any solution to make password+otp work?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm