Open arnolix opened 5 years ago
centos 7 openvpn: OpenVPN 2.4.6
server.conf port 1194 proto tcp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh.pem server 10.1.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.1.0.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 114.114.114.114" keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log 10 status-version 2 log /var/log/openvpn.log verb 3 plugin /etc/openvpn/openvpn-plugin-auth-pam.so openvpn client-cert-not-required username-as-common-name reneg-sec 0
client: client dev tun0 proto tcp remote 10.0.12.36 1194 resolv-retry infinite persist-key persist-tun ca ca.crt nobind auth-user-pass reneg-sec 0 auth-nocache comp-lzo verb 4
pam for openvpn: auth required pam_mysql.so user=xxx passwd=xxxx host=localhost db=xxx table=openvpn usercolumn=username passwdcolumn=password where=active=1 crypt=sha1 use_first_pass debug auth required pam_google_authenticator.so secret=/etc/openvpn/google-auth/${USER} user=root echo_verification_code debug forward_pass no_increment_hotp account required pam_permit.so debug
on client I user password + google code, failure, logs: Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - option debug is set to "" Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_close_db() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_sm_authenticate() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_open_db() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_open_db() returning 0. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_check_passwd() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_format_string() called Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_quick_escape() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - SELECT password FROM openvpn WHERE username = 'admin' AND (active=1) Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_check_passwd() returning 6. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_sql_log() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_sql_log() returning 0. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_sm_authenticate() returning 7. Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: start of google_authenticator for "admin" Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: Secret file permissions are 0400. Allowed permissions are 0600 Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: "/etc/openvpn/google-auth/admin" read Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: shared secret in "/etc/openvpn/google-auth/admin" processed Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: Invalid verification code for admin Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: "/etc/openvpn/google-auth/admin" written Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_release_ctx() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_destroy_ctx() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_close_db() called.
if I user command like: pamtester openvpn admin authenticate Password & verification code: xxxxxxxxx pamtester: Authentication failure failure log: Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - option debug is set to "" Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_close_db() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_sm_authenticate() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_open_db() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_open_db() returning 0. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_check_passwd() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_format_string() called Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_quick_escape() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - SELECT password FROM openvpn WHERE username = 'admin' AND (active=1) Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_check_passwd() returning 6. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_sql_log() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_sql_log() returning 0. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_sm_authenticate() returning 7. Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: start of google_authenticator for "admin" Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: Secret file permissions are 0400. Allowed permissions are 0600 Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: "/etc/openvpn/google-auth/admin" read Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: shared secret in "/etc/openvpn/google-auth/admin" processed Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: no scratch code used from "/etc/openvpn/google-auth/admin" Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: Accepted google_authenticator for admin Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: "/etc/openvpn/google-auth/admin" written Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_release_ctx() called. Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_destroy_ctx() called. Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_close_db() called.
if remove auth required pam_mysql.so user......, openvpn is ok for google otp. how to user username + password & google otp access openvpn ? thx
See issue #65.
kyrian666
commented
3 years ago kyrian666
commented
3 years ago
centos 7 openvpn: OpenVPN 2.4.6
server.conf port 1194 proto tcp dev tun ca /etc/openvpn/certs/ca.crt cert /etc/openvpn/certs/server.crt key /etc/openvpn/certs/server.key dh /etc/openvpn/certs/dh.pem server 10.1.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "route 10.1.0.0 255.255.255.0" push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 114.114.114.114" keepalive 10 120 comp-lzo user nobody group nobody persist-key persist-tun status openvpn-status.log 10 status-version 2 log /var/log/openvpn.log verb 3 plugin /etc/openvpn/openvpn-plugin-auth-pam.so openvpn client-cert-not-required username-as-common-name reneg-sec 0
client: client dev tun0 proto tcp remote 10.0.12.36 1194 resolv-retry infinite persist-key persist-tun ca ca.crt nobind auth-user-pass reneg-sec 0 auth-nocache comp-lzo verb 4
pam for openvpn: auth required pam_mysql.so user=xxx passwd=xxxx host=localhost db=xxx table=openvpn usercolumn=username passwdcolumn=password where=active=1 crypt=sha1 use_first_pass debug auth required pam_google_authenticator.so secret=/etc/openvpn/google-auth/${USER} user=root echo_verification_code debug forward_pass no_increment_hotp account required pam_permit.so debug
on client I user password + google code, failure, logs: Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - option debug is set to "" Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_close_db() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_sm_authenticate() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_open_db() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_open_db() returning 0. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_check_passwd() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_format_string() called Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_quick_escape() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - SELECT password FROM openvpn WHERE username = 'admin' AND (active=1) Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_check_passwd() returning 6. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_sql_log() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_sql_log() returning 0. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_sm_authenticate() returning 7. Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: start of google_authenticator for "admin" Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: Secret file permissions are 0400. Allowed permissions are 0600 Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: "/etc/openvpn/google-auth/admin" read Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: shared secret in "/etc/openvpn/google-auth/admin" processed Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: Invalid verification code for admin Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: "/etc/openvpn/google-auth/admin" written Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_release_ctx() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_destroy_ctx() called. Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_close_db() called.
if I user command like: pamtester openvpn admin authenticate Password & verification code: xxxxxxxxx pamtester: Authentication failure failure log: Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - option debug is set to "" Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_close_db() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_sm_authenticate() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_open_db() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_open_db() returning 0. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_check_passwd() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_format_string() called Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_quick_escape() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - SELECT password FROM openvpn WHERE username = 'admin' AND (active=1) Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_check_passwd() returning 6. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_sql_log() called. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_sql_log() returning 0. Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_sm_authenticate() returning 7. Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: start of google_authenticator for "admin" Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: Secret file permissions are 0400. Allowed permissions are 0600 Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: "/etc/openvpn/google-auth/admin" read Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: shared secret in "/etc/openvpn/google-auth/admin" processed Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: no scratch code used from "/etc/openvpn/google-auth/admin" Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: Accepted google_authenticator for admin Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: "/etc/openvpn/google-auth/admin" written Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_release_ctx() called. Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_destroy_ctx() called. Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_close_db() called.
if remove auth required pam_mysql.so user......, openvpn is ok for google otp. how to user username + password & google otp access openvpn ? thx