Open sangaline opened 5 years ago
It does look like it suceeded, yes. I think it'll be hard to debug with your the PAM fragment you show. If you used pam_unix
then maybe that's what failed?
From the README of this project:
If you pass the forward_pass option, the pam_google_authenticator module queries the user for both the system password and the verification code in a single prompt. It then forwards the system password to the next PAM module, which will have to be configured with the use_first_pass option.
The fragment I showed is the entire PAM configuration, and I'm trying to configure it to work without any other modules. I have also tried the use_first_pass
option and it gets the same result (succeeds in pam-google-authenticator logging, but openvpn reports failure). Is it possible that pam_unix.so
is being used if it isn't specified in the openvpn
config? I don't see any other PAM output in the system logs.
Why are you using forward_pass
then? Does it work without it?
… and supplying only the code.
I wasn't using it because I thought it was specifically necessary, I just tried no option, try_first_pass
, use_first_pass
, and forward_pass
sequentially to see if any of them worked (and forward_pass
was the last one I tried). They all produce the same result.
… and supplying only the code.
I would be happy to provide anything else that would be relevant, just let me know. The libpam-google-authenticator version is 1.06-1
and the openvpn version is 2.4.7
if that helps.
No I mean supplying only the OTP code at the password prompt, not password and OTP appended.
At this point I don't know. Looks like an OpenVPN question. Where does that pam_warn
come from? Maybe after successful auth
could succeed but OpenVPN needs account
to succeed too?
It does sound like it, from PAM documentation:
Account Management
The pam_acct_mgmt(3) function is used to determine if the users account is valid. It checks for authentication token and account expiration and verifies access restrictions. It is typically called
after the user has been authenticated.
Hi, I had the similar problem I think. I started from this great post but after many try and fail I ended up with:
Server Config:
# On the CentOS 7 server as root
yum install -y google-authenticator
mkdir -p /etc/openvpn/google-authenticator
chmod 0700 /etc/openvpn/google-authenticator
# Create a user
useradd -s /bin/nologin mickael.ange
# Configure Google Auth for the user
google-authenticator -w 3 -t -d -r3 -R30 -f -l "mickael.ange@vpn.example.com" -s /etc/openvpn/google-authenticator/mickael.ange
# Ensure 400 perm
chmod 400 /etc/openvpn/google-authenticator/mickael.ange
# Configure OpenVPN server
vim /etc/openvpn/server.conf
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD"
reneg-sec 0
# Configure PAM
vim /etc/pam.d/openvpn
# I had to use root user in place of gauth
auth required /lib64/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=root debug forward_pass
# The account section was the gotcha for me
account include system-auth
Client Config:
# Need to add on the OpenVPN client config
auth-nocache
remote-cert-tls server
auth-user-pass
reneg-sec 0
@mickael-ange your answer is pure gold - after hours of debugging I found your most recent post. The line account include system-auth
in /etc/pam.d/openvpn
is absolutely required.
Background: Now running on OpenVPN 2.5.0 and mostly following this guide (but also tried the one mentionned above): https://blog.amilstead.com/openvpn-google-authenticator-totp/
Thank you for your comments, those helped me to figure out how to solve my issue. Though I still don't understand how this line (in /etc/pam.d/openvpn) solves it:
account sufficient pam_permit.so
I'm trying to get google-authenticator-libpam working with openvpn, but I'm running into an issue where openvpn claims that verification failed while the logs for google-authenticator-libpam say that verification succeeded. My current PAM configuration is
and I reference this in my openvpn config with the following line (note that the openvpn config works fine if this line is commented out).
The authentication succeeds when using
pamtester
but I get the following error from openvpn when I try to connect.
The corresponding logs for google-authenticator-libpam are
which seem to suggest that the verification actually did succeed.
Any ideas why google-authenticator-libpam is saying that verification succeeded while openvpn is saying that it failed?