Verification succeeds in the debug logs, but OpenVPN reports that it failed

[sangaline]

I'm trying to get google-authenticator-libpam working with openvpn, but I'm running into an issue where openvpn claims that verification failed while the logs for google-authenticator-libpam say that verification succeeded. My current PAM configuration is

auth required /usr/lib/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth debug echo_verification_code authtok_prompt=password forward_pass

and I reference this in my openvpn config with the following line (note that the openvpn config works fine if this line is commented out).

plugin "/usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so" "openvpn login USERNAME password PASSWORD"

The authentication succeeds when using pamtester

# pamtester openvpn myuser authenticate
password123456
pamtester: successfully authenticated

but I get the following error from openvpn when I try to connect.

AUTH-PAM: BACKGROUND: user 'myuser' failed to authenticate: Authentication failure
Thu Jul 18 08:07:25 2019 42.123.17.102:56119 PLUGIN_CALL: POST /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Thu Jul 18 08:07:25 2019 42.123.17.102:56119 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
Thu Jul 18 08:07:25 2019 42.123.17.102:56119 TLS Auth Error: Auth Username/Password verification failed for peer

The corresponding logs for google-authenticator-libpam are

Jul 18 08:07:25 myserver openvpn(pam_google_authenticator)[11888]: debug: start of google_authenticator for "myuser"
Jul 18 08:07:25 myserver openvpn(pam_google_authenticator)[11888]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Jul 18 08:07:25 myserver openvpn(pam_google_authenticator)[11888]: debug: "/etc/openvpn/google-authenticator/myuser" read
Jul 18 08:07:25 myserver openvpn(pam_google_authenticator)[11888]: debug: shared secret in "/etc/openvpn/google-authenticator/myuser" processed
Jul 18 08:07:25 myserver openvpn(pam_google_authenticator)[11888]: debug: google_authenticator for host "(null)"
Jul 18 08:07:25 myserver openvpn(pam_google_authenticator)[11888]: debug: no scratch code used from "/etc/openvpn/google-authenticator/myuser"
Jul 18 08:07:25 myserver openvpn(pam_google_authenticator)[11888]: Accepted google_authenticator for myuser
Jul 18 08:07:25 myserver openvpn(pam_google_authenticator)[11888]: debug: "/etc/openvpn/google-authenticator/myuser" written
Jul 18 08:07:25 myserver openvpn(pam_google_authenticator)[11888]: debug: end of google_authenticator for "myuser". Result: Success
Jul 18 08:07:25 myserver openvpn[11888]: pam_warn(openvpn:account): function=[pam_sm_acct_mgmt] flags=0 service=[openvpn] terminal=[<unknown>] user=[myuser] ruser=[<unknown>] rhost=[<unknown>]

which seem to suggest that the verification actually did succeed.

Any ideas why google-authenticator-libpam is saying that verification succeeded while openvpn is saying that it failed?

[ThomasHabets]

It does look like it suceeded, yes. I think it'll be hard to debug with your the PAM fragment you show. If you used pam_unix then maybe that's what failed?

[ThomasHabets]

From the README of this project:

If you pass the forward_pass option, the pam_google_authenticator module queries the user for both the system password and the verification code in a single prompt. It then forwards the system password to the next PAM module, which will have to be configured with the use_first_pass option.

[sangaline]

The fragment I showed is the entire PAM configuration, and I'm trying to configure it to work without any other modules. I have also tried the use_first_pass option and it gets the same result (succeeds in pam-google-authenticator logging, but openvpn reports failure). Is it possible that pam_unix.so is being used if it isn't specified in the openvpn config? I don't see any other PAM output in the system logs.

[ThomasHabets]

Why are you using forward_pass then? Does it work without it?

[ThomasHabets]

… and supplying only the code.

[sangaline]

I wasn't using it because I thought it was specifically necessary, I just tried no option, try_first_pass, use_first_pass, and forward_pass sequentially to see if any of them worked (and forward_pass was the last one I tried). They all produce the same result.

… and supplying only the code.

I would be happy to provide anything else that would be relevant, just let me know. The libpam-google-authenticator version is 1.06-1 and the openvpn version is 2.4.7 if that helps.

[ThomasHabets]

No I mean supplying only the OTP code at the password prompt, not password and OTP appended.

At this point I don't know. Looks like an OpenVPN question. Where does that pam_warn come from? Maybe after successful auth could succeed but OpenVPN needs account to succeed too?

It does sound like it, from PAM documentation:

 Account Management
       The pam_acct_mgmt(3) function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called
       after the user has been authenticated.

[mickael-ange]

Hi, I had the similar problem I think. I started from this great post but after many try and fail I ended up with:

Server Config:

# On the CentOS 7 server as root
yum install -y google-authenticator
mkdir -p /etc/openvpn/google-authenticator
chmod 0700 /etc/openvpn/google-authenticator

# Create a user
useradd -s /bin/nologin mickael.ange
# Configure Google Auth for the user
google-authenticator -w 3 -t -d -r3 -R30 -f -l "mickael.ange@vpn.example.com" -s /etc/openvpn/google-authenticator/mickael.ange
# Ensure 400 perm
chmod 400 /etc/openvpn/google-authenticator/mickael.ange

# Configure OpenVPN server
vim /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD"
reneg-sec 0

# Configure PAM
vim /etc/pam.d/openvpn
# I had to use root user in place of gauth
auth required /lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=root debug forward_pass
# The account section was the gotcha for me
account include system-auth

Client Config:

# Need to add on the OpenVPN client config
auth-nocache
remote-cert-tls server
auth-user-pass
reneg-sec 0

[kalsan]

@mickael-ange your answer is pure gold - after hours of debugging I found your most recent post. The line account include system-auth in /etc/pam.d/openvpn is absolutely required. Background: Now running on OpenVPN 2.5.0 and mostly following this guide (but also tried the one mentionned above): https://blog.amilstead.com/openvpn-google-authenticator-totp/

[MohammedNoureldin]

Thank you for your comments, those helped me to figure out how to solve my issue. Though I still don't understand how this line (in /etc/pam.d/openvpn) solves it:

account sufficient pam_permit.so