VPN server connection problem with pam (totp)

First of all, hello everyone.
I edited the openvpn server.conf file according to the instructions and created a new pam file (/etc/pam.d/openvpn) in the system. My configuration settings are as follows.

server.conf

verb 5
verify-client-cert none
username-as-common-name
reneg-sec 0
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
script-security 3

/etc/pam.d/openvpn

#The SSL certificate was created with Let's Encrypt.
auth    [success=1 default=ignore]      /lib64/security/pam_privacyidea.so      url=https://mydomain.org  prompt=privacyIDEA_Authentication
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so
account sufficient                      pam_permit.so
session sufficient                      pam_permit.so

When authenticating with openvpn, if I only enter the otp code, the login request is successful. However, if I enter the otp code followed by the password, the login request fails. What could I be doing wrong?

Well, this is how you have configured your system!

The contents of what your are typing in at the password prompt is sent to the privacyIDEA server.
The privacyIDEA server verifies it according to your configuration.

Thus: Works as configured. So you have to look into the configuration of your privacyIDEA server.

Hi @cornelinux,

What should I check in the privacyidea configuration, policy etc.?

The policies define, how privacyIDEA will respond.
The authentication is controlled by the policies in the scope authentication.

Read 7. Policies — privacyIDEA 3.10dev1 documentation

and 7.3. Authentication policies — privacyIDEA 3.10dev1 documentation

You might probably want to take a look at the otppin policy. But this is all wild guessing, since we do not know anything about your users and your policies.

Hi @cornelinux ,

After users enter their passwords on the openvpn server, they will open the VPN session by entering the otp generated by privacyidea, that’s all.

Great.
Did you actually read the above mentioned links/documentation?

I understand if you did not do this. Your time is valuable. Thats fine.
If you need professional help, please see here:

I read the documentation from beginning to end. But there is obviously a problem somewhere. Still, thank you for everything.

What do your authentication policies look like?

The password is the token PIN.

@cornelinux Thank you for everything. I solved my problem by entering the parameters below.

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so “openvpn login USERNAME password PASSWORD ‘please enter otp:’ OTP”

1 Like