OpenVPN with PAM authentication allows multiple passwords

[AndresPineros]

I created an OpenVPN server using this role on my Ubuntu 16.04 machine, with the following variables:

....
openvpn_port: xxxx
openvpn_proto: xxx
openvpn_dev: xxx
openvpn_server: x.x.x.x x.x.x.x
openvpn_comp_lzo: yes
openvpn_cipher: AES-XXXXX
openvpn_tls_auth : yes
openvpn_user: nobody
openvpn_group: nogroup
openvpn_client_to_client: no
openvpn_verb: 4
openvpn_use_pam: yes
openvpn_use_pam_users: "{{ pam_user_array }}"
openvpn_clients:
  - myuser
.....

Because I want both PAM and certs, I removed the client-certs-not-required that is placed in the server.conf when using pam.

The password for myuser was D1$play9!! I found by accident that I was able to login with that user using:

• D1$play9!!
• D1$play99
• D1$play9999
• D1$play99999
• D1$play9090
• D1$play99!!!!!!!!!

Why is this possible? This is a very serious security issue.

[lettucehead]

Why don’t you check if it’s pw truncation by altering an earlier character in the sequence. Solaris used to have this. Cred@a dude named Jay

[sgutermann]

If you google "pam truncate" you will find an answer within the first few entries. It only uses the first 8 characters.