I configured OpenVPN to use user/password authentication via PAM, which works fine. I tried to add TOTP authentication too (also with PAM), which won't work.
The client version is exactly the same as the server version (it shouldn't be a version mismatch issue). I tried to run server and client as nobody enable/disabled, nothing helped. If I enable the static-challenge option on client side, the prompt is displayed, but the input isn't handled (it isn't passed toward PAM). However the user/password login is working fine, which is also handled by PAM.
The PAM configuration openvpn is correct, as the same works with SSH well.
The PAM prompt is passed to the OpenVPN server, as this appears in the server log: One-time password (OATH) for 'user1': but this never appears on client side.
Can somebody please help me with this? Is there a missing compile option, or a known bug, or does this need a different configuration?
openvpn --version OpenVPN 2.5.6 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 16 2022 library versions: OpenSSL 1.1.1l 24 Aug 2021 SUSE release 150400.7.37.1, LZO 2.10 Originally developed by James Yonan Copyright (C) 2002-2022 OpenVPN Inc <sales@openvpn.net> Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=noPAM config:
cat /etc/pam.d/openvpn #%PAM-1.0 auth requisite pam_oath.so usersfile=/etc/oath/users_ssh.oath window=30 digits=6 auth requisite pam_nologin.so auth include common-auth account requisite pam_nologin.so account include common-account password include common-password session required pam_loginuid.so session include common-session session optional pam_lastlog.so silent noupdate showfailedopenvpn server conf (only relevant):
username-as-common-name #plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn" plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"Client conf (relevant part):
auth-user-pass #static-challenge "PIN" 1
I'm trying to connect with enabled TOTP on the server, and I get AUTH_FAILED (instead of success), regardless of typing the PIN to static-challenge prompt.
