[arch-general] User authentication problems at OpenVPN on ArchLinux
Good day everyone. I'm facing a weird problem with my vpn. It fails to authenticate users despite the entered password is correct (copied and pasted). OpenVPN (version 2.5.0 on ArchLinux) itself is serviced with systemd and runs fine. I'm using OpenVPN's auth-pam plugin to authenticate users. You find the configuration- and logfiles below. When trying to log in, I get "User authentication failed" at my client and the following logging. The user was created with useradd and is able to login with ssh as well. There is no pam config for openvpn in /etc/pam.d. But it worked before without it. Does anyone have an idea on how to fix this or how to debug pam properly? journalctl -r|grep username =========================== Dec 26 13:42:41 hostname kernel: audit: type=1100 audit(1608986561.263:1183): pid=678 uid=973 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="username" exe="/usr/bin/openvpn" hostname=? addr=? terminal=? res=failed' Dec 26 13:42:41 hostname audit[678]: USER_AUTH pid=678 uid=973 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="username" exe="/usr/bin/openvpn" hostname=? addr=? terminal=? res=failed' Dec 26 13:42:41 hostname openvpn[678]: pam_unix(login:auth): authentication failure; logname= uid=973 euid=973 tty= ruser= rhost= user=username Dec 26 13:42:41 hostname unix_chkpwd[4160]: password check failed for user (username) /var/log/openvpn.log ==================== ip-addr [username] Peer Connection Initiated with [AF_INET6]ip-addr:52991 ip-addr PUSH: Received control message: 'PUSH_REQUEST' ip-addr Delayed exit in 5 seconds ip-addr SENT CONTROL [username]: 'AUTH_FAILED' (status=1) ip-addr SIGTERM[soft,delayed-exit] received, client-instance exiting server.conf =========== plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login port 1194 persist-key persist-tun proto udp proto udp6 dev tun ca /etc/openvpn/easy-rsa/pki/ca.crt cert /etc/openvpn/easy-rsa/pki/issued/manmtr.crt key /etc/openvpn/easy-rsa/pki/private/manmtr.key dh /etc/openvpn/easy-rsa/pki/dh.pem data-ciphers AES-256-GCM ;cipher AES-256-CBC auth SHA512 reneg-sec 36000 inactive 0 server 192.168.200.0 255.255.255.0 push "route 192.168.100.0 255.255.255.0" keepalive 10 36000 status openvpn-status.log log /var/log/openvpn.log verb 4 -- Jordan Borgner
Jordan Borgner via arch-general wrote:
Good day everyone.
I'm facing a weird problem with my vpn. It fails to authenticate users despite the entered password is correct (copied and pasted).
OpenVPN (version 2.5.0 on ArchLinux) itself is serviced with systemd and runs fine. I'm using OpenVPN's auth-pam plugin to authenticate users. You find the configuration- and logfiles below.
Hello, I believe the problem might be openvpn is running as an unprivileged user with capabilities now instead of relying on openvpn itself dropping privileges. You'd have to revert those changes to allow pam access to the password files. https://github.com/archlinux/svntogit-packages/commit/3da0f77eeae1e7bd5e877f... -- Andy
On 31.12.20 14:57, admin--- via arch-general wrote:
Hello,
I believe the problem might be openvpn is running as an unprivileged user with capabilities now instead of relying on openvpn itself dropping privileges. You'd have to revert those changes to allow pam access to the password files.
https://github.com/archlinux/svntogit-packages/commit/3da0f77eeae1e7bd5e877f...
Thank you! For some reason the service file was changed to make openvpn run as a different user. Happy new year everyone! -- Jordan Borgner
On 12/31/20 8:08 AM, Jordan Borgner via arch-general wrote:
Good day everyone.
I'm facing a weird problem with my vpn. It fails to authenticate users despite the entered password is correct (copied and pasted).
Hi Jordan - I switched from openvpn to wireguard some time back and prefer it - simple, works well and is fast. Has clients available for android/ios (Those apps are configged using camera to read the QR codes I provide). Something you may want to consider as an alternative perhaps. gene
participants (3)
-
admin@progandy.de
-
Genes Lists
-
Jordan Borgner