0

I am trying to setup PAM authentication on my openVPN instance running on Ubuntu Server 15.04 but i keep getting an authentication failed error, am i missing anything?

server.conf

port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 0
crl-verify crl.pem
plugin /etc/openvpn/openvpn-plugin-auth-pam.so login
log-append /var/log/openvpn.log

client.conf

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote my.server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
auth-user-pass

<ca>



</ca>
<cert>


</cert>
<key>



</key>

Server Log File

AUTH-PAM: BACKGROUND: user 'paul' failed to authenticate: System error
Sun Mar 13 16:41:02 2016 86.137.55.234:49377 PLUGIN_CALL: plugin
function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
/etc/openvpn/openvpn-plugin-auth-pam.so

Client Log File

Sun Mar 13 19:47:43 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb  1 2016
Sun Mar 13 19:47:43 2016 Windows version 6.1 (Windows 7)
Sun Mar 13 19:47:43 2016 library versions: OpenSSL 1.0.1r  28 Jan 2016, LZO 2.09
Enter Management Password:
Sun Mar 13 19:47:43 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Sun Mar 13 19:47:43 2016 Need hold release from management interface, waiting...
Sun Mar 13 19:47:43 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Sun Mar 13 19:47:44 2016 MANAGEMENT: CMD 'state on'
Sun Mar 13 19:47:44 2016 MANAGEMENT: CMD 'log all on'
Sun Mar 13 19:47:44 2016 MANAGEMENT: CMD 'hold off'
Sun Mar 13 19:47:44 2016 MANAGEMENT: CMD 'hold release'
Sun Mar 13 19:47:52 2016 MANAGEMENT: CMD 'username "Auth" "paul"'
Sun Mar 13 19:47:52 2016 MANAGEMENT: CMD 'password [...]'
Sun Mar 13 19:47:53 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Mar 13 19:47:53 2016 UDPv4 link local: [undef]
Sun Mar 13 19:47:53 2016 UDPv4 link remote: [AF_INET]my.server:1194
Sun Mar 13 19:47:53 2016 MANAGEMENT: >STATE:1457898473,WAIT,,,
Sun Mar 13 19:47:53 2016 MANAGEMENT: >STATE:1457898473,AUTH,,,
Sun Mar 13 19:47:53 2016 TLS: Initial packet from [AF_INET]my.server:1194, sid=12745e68 d8548adf
Sun Mar 13 19:47:53 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Mar 13 19:47:53 2016 VERIFY OK: depth=1, CN=ChangeMe
Sun Mar 13 19:47:53 2016 Validating certificate key usage
Sun Mar 13 19:47:53 2016 ++ Certificate has key usage  00a0, expects 00a0
Sun Mar 13 19:47:53 2016 VERIFY KU OK
Sun Mar 13 19:47:53 2016 Validating certificate extended key usage
Sun Mar 13 19:47:53 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Mar 13 19:47:53 2016 VERIFY EKU OK
Sun Mar 13 19:47:53 2016 VERIFY OK: depth=0, CN=server
Sun Mar 13 19:47:53 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Mar 13 19:47:53 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 13 19:47:53 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Mar 13 19:47:53 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 13 19:47:53 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Mar 13 19:47:53 2016 [server] Peer Connection Initiated with [AF_INET]my.server:1194
Sun Mar 13 19:47:54 2016 MANAGEMENT: >STATE:1457898474,GET_CONFIG,,,
Sun Mar 13 19:47:55 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Mar 13 19:47:56 2016 AUTH: Received control message: AUTH_FAILED
Sun Mar 13 19:47:56 2016 SIGUSR1[soft,auth-failure] received, process restarting
Sun Mar 13 19:47:56 2016 MANAGEMENT: >STATE:1457898476,RECONNECTING,auth-failure,,
Sun Mar 13 19:47:56 2016 Restart pause, 2 second(s)

Verbose Server Log http://pastebin.com/30ivbrWH (It is too long for the post)

The login pam.d configuration is the standard one which comes with the system

Paul Goggin
  • 1
  • 1
  • 3
  • Add log-append option to the client config, replace inline definitions for ca, cert, key with plain one 'ca ca.crt/cert cleint.crt/key client.key'. Restart the client and add output of the openvpn.log from the client side to the question. – ALex_hha Mar 13 '16 at 18:30
  • @ALex_hha client log file added to main post above – Paul Goggin Mar 13 '16 at 20:01
  • On the server change verb 0 to verb 11. Restart the server and try again. And add /etc/pam.d/login to the question – ALex_hha Mar 13 '16 at 21:11

2 Answers2

0

On the openvpn server install saslauthd

# aptitude install sasl2-bin

Start the daemon

# saslauthd -d -a pam -m /var/run/saslauthd/

Make simple authentication

# testsaslauthd -u paul -p 1234567 -s login

The result must be

0: OK "Success."
ALex_hha
  • 7,193
  • 1
  • 25
  • 40
  • How can i add this into my server.conf? (sorry if it is a stupid question) – Paul Goggin Mar 18 '16 at 20:07
  • You should run these commands from the console. It give us information about PAM authentication on your system in general. – ALex_hha Mar 18 '16 at 20:10
  • `root@vps:/var/run/saslauthd# testsaslauthd -u paul -p 1234567 -s login saslauthd[28368] :rel_accept_lock : released accept lock saslauthd[28369] :get_accept_lock : acquired accept lock saslauthd[28368] :do_auth : auth success: [user=paul] [service=login] [realm=] [mech=pam] 0: OK "Success." root@vps:/var/run/saslauthd# saslauthd[28368] :do_request : response: OK` – Paul Goggin Mar 18 '16 at 20:11
  • It seems is working with testssalauthd – Paul Goggin Mar 18 '16 at 20:33
0

Try adding "username-as-common-name" to server.conf.

HaoDe
  • 3
  • 3