Openvpn + pam_module + ubuntu 16.04


#1

Hi everyone.
I’ve installed privacyidea server, configured LDAP integration, enrolled the new token.
Then I tried to configure OTP for OpenVPN but faced the issue.

My config:

root@openvpnubuntu:/etc/openvpn# cat /etc/pam.d/openvpn 
auth    [success=1 default=ignore]      pam_python.so /lib/security/privacyidea_pam.py url=https://10.1.1.184 prompt=privacyIDEA_Authentication debug
auth    requisite           pam_deny.so
auth    required            pam_permit.so
session sufficient          pam_permit.so
account sufficient          pam_permit.so

root@openvpnubuntu:/etc/openvpn# cat /etc/openvpn/server.conf 
#explicit-exit-notify 1
username-as-common-name
client-cert-not-required
#conf for privacy idea
reneg-sec 0
plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so openvpn

I’ve faced with the issue, that pam module didn’t connect to privacy idea server.
I assume that the pam module does not execute in the proper way.

Could you please help with it.


#2

Take a look into /var/log/auth.log. This will tell you everything that is happening in the PAM stack and you should see the problem immediately.


#3

Hi, Thanks.
I’ve add ‘nosslverify’ parametr and pam module have started checking passwords,

But I’ve faced with another issue
I’ve input correct token for authorisation. (I checked that correct with web ui privacy idea)
%D0%B8%D0%B7%D0%BE%D0%B1%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D0%B5

Then, I can see the following logs in auth.log:
Mar 5 12:07:49 openvpnubuntu openvpn: requests > 1.0
Mar 5 12:07:49 openvpnubuntu openvpn: privacyidea_pam: result: {u’status’: True, u’value’: True}
Mar 5 12:07:49 openvpnubuntu openvpn: privacyidea_pam: detail: {u’message’: u’matching 1 tokens’, u’type’: u’hotp’, u’serial’: u’OATH000047C9’, u’otplen’: 6, u’threadid’: 140333286156032}
Mar 5 12:07:49 openvpnubuntu openvpn: privacyidea_pam: offline save authitem: None
Mar 5 12:08:49 openvpnubuntu openvpn: PAM (openvpn) illegal module type: login
Mar 5 12:08:49 openvpnubuntu openvpn: PAM pam_parse: expecting return value; […auth]

But in OpenVPN logs I can see the following errors:
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: user1
AUTH-PAM: BACKGROUND: my_conv[0] query='privacyIDEA_Authentication: ’ style=1
/usr/lib/python2.7/dist-packages/urllib3/connectionpool.py:794: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
InsecureRequestWarning)
AUTH-PAM: BACKGROUND: user ‘user1’ failed to authenticate: Authentication failure
Tue Mar 5 12:08:49 2019 us=260390 192.168.177.66:54487 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Tue Mar 5 12:08:49 2019 us=260457 192.168.177.66:54487 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-plugin-auth-pam.so

And OpenVPN client tels that Incorrect password.


#4

It is all about reading the log files.
You tell me, wha illegal module type: login means, when openvpn says this.
I do not know this. So probably your openvpn config is wrong.

The privacyIDEA part was successful as you can see in the logs and in the audit log.
So obviously openvpn does not like your configuration.


#5

Thanks for fast response.
Maybe issue caused that in latest openvpn server on ubuntu 16.04 have following plugin:
/usr/lib/openvpn/openvpn-plugin-auth-pam.so ?

And documentation for privacyidea require use:
%D0%B8%D0%B7%D0%BE%D0%B1%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D0%B5


#6

Dear Cornelius,
Thank you very much for hints.
I found the root of the problem.
Some PAM debug configs prevented to correct work. (My bad)

Now all works fine.