0

Inside a Debian OpenVZ container, I have 2 OpenVPN servers (udp on port 53 and tcp on port 443).

The authentication is based on Pam-Mysql.

Inside my OpenVPN conf file I have:

[...]
plugin /etc/openvpn/openvpn-auth-pam.so openvpn
[...]

At a certain time, usually during the morning when few users are connected, the authentication stops working for the UDP OpenVPN server (never the TCP one).

OpenVPN log:

Thu Jun 19 10:11:11 2014 us=331224 109.190.XXX.XXX:50611 TLS: Initial packet from [AF_INET]109.190.XXX.XXX:50611, sid=bd8b4b95 0bf1eb05
AUTH-PAM: BACKGROUND: received command code: 0
AUTH-PAM: BACKGROUND: USER: pierrejeanbergeron
Can't initialize threads: error 11
AUTH-PAM: BACKGROUND: user 'pierrejeanbergeron' failed to authenticate: Permission denied
Thu Jun 19 10:11:12 2014 us=705970 109.190.XXX.XXX:50611 PLUGIN_CALL: POST /etc/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Thu Jun 19 10:11:12 2014 us=705983 109.190.XXX.XXX:50611 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /etc/openvpn/openvpn-auth-pam.so
Thu Jun 19 10:11:12 2014 us=706002 109.190.XXX.XXX:50611 TLS Auth Error: Auth Username/Password verification failed for peer
Thu Jun 19 10:11:12 2014 us=857039 109.190.XXX.XXX:50611 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Thu Jun 19 10:11:12 2014 us=857064 109.190.XXX.XXX:50611 [] Peer Connection Initiated with [AF_INET]109.190.XXX.XXX:50611
Thu Jun 19 10:11:15 2014 us=33310 109.190.XXX.XXX:50611 PUSH: Received control message: 'PUSH_REQUEST'
Thu Jun 19 10:11:15 2014 us=33335 109.190.XXX.XXX:50611 Delayed exit in 5 seconds
Thu Jun 19 10:11:15 2014 us=33364 109.190.XXX.XXX:50611 SENT CONTROL [UNDEF]: 'AUTH_FAILED' (status=1)
Thu Jun 19 10:11:15 2014 us=107955 109.190.XXX.XXX:50611 Connection reset, restarting [0]
Thu Jun 19 10:11:15 2014 us=107974 109.190.XXX.XXX:50611 SIGUSR1[soft,connection-reset] received, client-instance restarting
Thu Jun 19 10:11:15 2014 us=108016 TCP/UDP: Closing socket

Then I restart OpenVPN and all works again.

Please note that I have already set THREADS=0 in /etc/default/saslauthd.

PJ Bergeron
  • 363
  • 4
  • 15
  • Maybe it's a bit late, but i've worked on a pam-mysql fork. Pam-mysql seems to be unmaintained, so i decided to provide some fixes. - Memory leak error | Fixed - SHA1 and MD5 encryption | Fixed Link to pam-mysql fork on github : https://github.com/quadeare/pam-mysql – Quadeare Sep 18 '15 at 13:16

1 Answers1

0

Looks like this bug related with OpenVZ limit on number of threads for VE. Please check column "failcnt" on row "numproc" in file /proc/user_beancounters.

Pavel Odintsov
  • 311
  • 1
  • 6
  • Hi again! I don't think it's the problem: `numproc 35 66 9223372036854775807 9223372036854775807 0` – PJ Bergeron Jun 19 '14 at 11:00
  • Maybe you can start strace for this process like this: strace -s 1024 -o /root/trace -f -p PID or run sysdig? – Pavel Odintsov Jun 19 '14 at 18:26
  • The problem is I don't know which process is causing trouble. I tried with saslauthd and openvpn but I see nothing. The strange thing is that when the authentication on the UDP OpenVPN server doesn't work, it still works on the TCP one. And it's always like that. – PJ Bergeron Jun 20 '14 at 13:03