You are not logged in.

#1 2021-01-04 23:20:55

carbolymer
Member
Registered: 2012-04-25
Posts: 35

OpenVPN PAM authentication rejects passwords

I had OpenVPN set up with cert + unix username + unix password authentication set up and running for some time, but something has changed in the past few months in arch configuration that broke openvpn authentication. Right now, every authentication attempt is rejected (server log):

PLUGIN AUTH-PAM: BACKGROUND: received command code: 0
PLUGIN AUTH-PAM: BACKGROUND: USER: carbolymer
PLUGIN AUTH-PAM: BACKGROUND: my_conv[0] query='Password: ' style=1
PLUGIN AUTH-PAM: BACKGROUND: user 'carbolymer' failed to authenticate: Permission denied
10.0.0.1:53188 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
10.0.0.1:53188 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
10.0.0.1:53188 TLS Auth Error: Auth Username/Password verification failed for peer
MULTI: REAP range 0 -> 16

in dmesg I can see:

[125781.897337] audit: type=1100 audit(1609803977.633:19896): pid=1093399 uid=979 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="carbolymer" exe="/usr/bin/openvpn" hostname=? addr=? terminal=? res=failed'

here's my server.conf:

port 4443
proto udp                                        
cipher AES-256-GCM                                                          
auth SHA512                                                                 
                                                                                           
dev tun0                                                                     
                                                                                           
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret

dh /etc/openvpn/keys/dh1024.pem

tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA:TLS-DHE-RSA-WITH-AES-128-CBC-SHA:TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA

tls-version-min 1.2
tls-crypt /etc/openvpn/keys/ta.key
tls-server

server 10.10.10.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

persist-key
persist-tun

status openvpn-status.log

log-append  /var/log/openvpn.log

verb 7

max-clients 100

user openvpn
group network

client-to-client

verify-client-cert require
username-as-common-name
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login

push "route 10.0.0.0 255.255.255.0"
dhcp-option DNS 10.0.0.1
dhcp-option DOMAIN home
dev-type tun
crl-verify /etc/openvpn/keys/crl.pem

and example client.conf (with keys/certificates removed):

client                                                          
dev tun0                                                        
proto udp
auth SHA512                                                     
remote openvpn.host.com 4443
resolv-retry infinite                                           
nobind                                                          
persist-key                                                     
persist-tun                                                     
<ca></ca>                    
<cert></cert>
<key></key>
key-direction 1
<tls-crypt></tls-crypt>
ns-cert-type server
verb 7
auth-user-pass

I've also added /etc/pam.d/openvpn:

auth      include   system-remote-login
account   include   system-remote-login

and it does not matter if I use PAM module or login.

My account isn't locked out in faillock so I have no clue what's going on. Any ideas how to debug this issue further?

looks like a similar issue, but it doesn't work in my case: https://serverfault.com/questions/10253 … nd-selinux

UPDATE:
I've found a workaround: when running openvpn service as a root, PAM authentication works without any issues. The problem appears when openvpn is being executed as (from systemd service file):

User=openvpn
Group=network

Related bug report: https://bugs.archlinux.org/task/69216

Last edited by carbolymer (2021-01-05 10:35:41)

Offline

Board footer

Powered by FluxBB