[arch-general] User authentication problems at OpenVPN on ArchLinux
Jordan Borgner
jordan at manmtr.net
Thu Dec 31 13:08:10 UTC 2020
Good day everyone.
I'm facing a weird problem with my vpn. It fails to authenticate users
despite the entered password is correct (copied and pasted).
OpenVPN (version 2.5.0 on ArchLinux) itself is serviced with systemd and
runs fine. I'm using OpenVPN's auth-pam plugin to authenticate users.
You find the configuration- and logfiles below.
When trying to log in, I get "User authentication failed" at my client
and the following logging. The user was created with useradd and is able
to login with ssh as well.
There is no pam config for openvpn in /etc/pam.d. But it worked before
without it.
Does anyone have an idea on how to fix this or how to debug pam properly?
journalctl -r|grep username
===========================
Dec 26 13:42:41 hostname kernel: audit: type=1100
audit(1608986561.263:1183): pid=678 uid=973 auid=4294967295
ses=4294967295 msg='op=PAM:authentication grantors=? acct="username"
exe="/usr/bin/openvpn" hostname=? addr=? terminal=? res=failed'
Dec 26 13:42:41 hostname audit[678]: USER_AUTH pid=678 uid=973
auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=?
acct="username" exe="/usr/bin/openvpn" hostname=? addr=? terminal=?
res=failed'
Dec 26 13:42:41 hostname openvpn[678]: pam_unix(login:auth):
authentication failure; logname= uid=973 euid=973 tty= ruser= rhost=
user=username
Dec 26 13:42:41 hostname unix_chkpwd[4160]: password check failed for
user (username)
/var/log/openvpn.log
====================
ip-addr [username] Peer Connection Initiated with [AF_INET6]ip-addr:52991
ip-addr PUSH: Received control message: 'PUSH_REQUEST'
ip-addr Delayed exit in 5 seconds
ip-addr SENT CONTROL [username]: 'AUTH_FAILED' (status=1)
ip-addr SIGTERM[soft,delayed-exit] received, client-instance exiting
server.conf
===========
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login
port 1194
persist-key
persist-tun
proto udp
proto udp6
dev tun
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/manmtr.crt
key /etc/openvpn/easy-rsa/pki/private/manmtr.key
dh /etc/openvpn/easy-rsa/pki/dh.pem
data-ciphers AES-256-GCM
;cipher AES-256-CBC
auth SHA512
reneg-sec 36000
inactive 0
server 192.168.200.0 255.255.255.0
push "route 192.168.100.0 255.255.255.0"
keepalive 10 36000
status openvpn-status.log
log /var/log/openvpn.log
verb 4
--
Jordan Borgner
More information about the arch-general
mailing list