search

google / google-authenticator-libpam

Apache License 2.0
1.76k stars 281 forks source link

it doesn't work on Ubuntu 18.04.4 LTS #156

Closed ghost closed 4 years ago

ghost commented 4 years ago

I have the following configuration in the server.conf:

port ****
roto udp
dev tun
user nobody
group nogroup
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 1.1.1.1"
push "redirect-gateway def1 bypass-dhcp"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_g81uVW7gyHv7GsTA.crt
key server_g81uVW7gyHv7GsTA.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
username-as-common-name
client-cert-not-required
plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verb 3

and in my client file javi.ovpn:

client
proto udp
remote ******
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_*****name
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns # Prevent Windows 10 DNS leak
auth-user-pass
auth-nocache
reneg-sec 0
static-challenge "Enter Google Authenticator Token" 1
verb 3
<ca>
-----BEGIN CERTIFICATE-----
MI
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MII
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
M
-----END PRIVATE KEY-----
</key>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
37

-----END OpenVPN Static key V1-----
</tls-crypt>

and in my pam file /etc/pam.d/openvpn:

auth required pam_google_authenticator.so

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so

then I have my user created javi:

javi:x:1000:1000:javi,,,:/home/javi:/bin/bash

if I enter my username and password in openvpn client it works but if I enter the password + token it doesn't work

tail /var/log/auth.log

debug: start of google_authenticator for "javi"
Mar 24 14:47:39 plantilla openvpn(pam_google_authenticator)[1186]: Failed to read "/home/javi/.google_authenticator" for "javi"

anyone know what I'm doing wrong ?¿?

ThomasHabets commented 4 years ago

Isn't that supposed to be:

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

?

The parameter is the name of the PAM config, not the openvpn config, no?

ghost commented 4 years ago

¿No se supone que es eso?

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

?

El parámetro es el nombre de la configuración PAM, no la configuración openvpn, ¿no?

yes I correct it

ThomasHabets commented 4 years ago 
Mar 24 14:47:39 plantilla openvpn(pam_google_authenticator)[1186]: Failed to read "/home/javi/.google_authenticator" for "javi"

And that file exists? If yes, maybe this is an SELinux issue. Could you temporarily disable SELinux to see if that works.

You can get it to work with selinux. I've just not set it up. Search past issues for selinux and you may find how to work around it.

ghost commented 4 years ago

yes 

root@plantilla:/etc/pam.d# setenforce 0
setenforce: SELinux is disabled

drwxr-xr-x 4 javi javi 4096 mar 24 10:59 ../
-rw------- 1 javi javi  114 mar 24 13:15 .bash_history
-rw-r--r-- 1 javi javi  220 mar 24 10:59 .bash_logout
-rw-r--r-- 1 javi javi 3771 mar 24 10:59 .bashrc
-r-------- 1 javi javi   84 mar 24 13:14 .google_authenticator
-rw-r--r-- 1 javi javi  807 mar 24 10:59 .profile

Failed to read "/home/javi/.google_authenticator" for "javi"

:(

ThomasHabets commented 4 years ago

That's strange. Could you run strace -f -eopen,fstat -p [pid] on the server's openvpn, and try to connect again? It should show either open failing to open the file, or a failing fstat right after it opens it.

Unfortunately the code doesn't log the error while trying to read that file.

ghost commented 4 years ago 
 strace -f -eopen,fstat -p 2911
strace: Process 2911 attached
fstat(3, {st_mode=S_IFREG|0644, st_size=1255, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=31080, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=60272, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=22878, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=39208, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=154832, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=464824, ...}) = 0
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=5776, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=6104, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=520, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=1249, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=10080, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=22878, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=22768, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=1208, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=1440, ...}) = 0
fstat(4, {st_mode=S_IFREG|0644, st_size=1470, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=10376, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=258040, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=22878, ...}) = 0
fstat(6, {st_mode=S_IFREG|0644, st_size=14576, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=1555, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=1555, ...}) = 0
ghost commented 4 years ago

I have moved the folder to / etc / google-authenticator now if it returns the following:

Mar 24 18:55:18 plantilla openvpn(pam_google_authenticator)[1934]: Accepted google_authenticator for javi

but it does not connect me open vpn tells me invalid wrong credentials and I get again the box to enter the password again the logs are as follows:

Tue Mar 24 19:53:56 2020 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Tue Mar 24 19:53:56 2020 Windows version 6.2 (Windows 8 or greater) 64bit
Tue Mar 24 19:53:56 2020 library versions: OpenSSL 1.1.0l  10 Sep 2019, LZO 2.10
Enter Management Password:
Tue Mar 24 19:53:56 2020 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Mar 24 19:53:56 2020 Need hold release from management interface, waiting...
Tue Mar 24 19:53:57 2020 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Mar 24 19:53:57 2020 MANAGEMENT: CMD 'state on'
Tue Mar 24 19:53:57 2020 MANAGEMENT: CMD 'log all on'
Tue Mar 24 19:53:57 2020 MANAGEMENT: CMD 'echo all on'
Tue Mar 24 19:53:57 2020 MANAGEMENT: CMD 'bytecount 5'
Tue Mar 24 19:53:57 2020 MANAGEMENT: CMD 'hold off'
Tue Mar 24 19:53:57 2020 MANAGEMENT: CMD 'hold release'
Tue Mar 24 19:54:23 2020 MANAGEMENT: CMD 'username "Auth" "javi"'
Tue Mar 24 19:54:23 2020 MANAGEMENT: CMD 'password [...]'
Tue Mar 24 19:54:23 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Mar 24 19:54:23 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Mar 24 19:54:23 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Tue Mar 24 19:54:23 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Tue Mar 24 19:54:23 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]***
Tue Mar 24 19:54:23 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Mar 24 19:54:23 2020 UDP link local: (not bound)
Tue Mar 24 19:54:23 2020 UDP link remote: [AF_INET]********
Tue Mar 24 19:54:23 2020 MANAGEMENT: >STATE:1585076063,WAIT,,,,,,
Tue Mar 24 19:54:23 2020 MANAGEMENT: >STATE:1585076063,AUTH,,,,,,
Tue Mar 24 19:54:23 2020 TLS: Initial packet from [AF_INET]********, sid=9ea9d124 2991af92
Tue Mar 24 19:54:23 2020 VERIFY OK: depth=1, CN=cn_mscZYhibMmwTJY7Z
Tue Mar 24 19:54:23 2020 VERIFY KU OK
Tue Mar 24 19:54:23 2020 Validating certificate extended key usage
Tue Mar 24 19:54:23 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Mar 24 19:54:23 2020 VERIFY EKU OK
Tue Mar 24 19:54:23 2020 VERIFY X509NAME OK: CN=server_im4K7RqIoJ3ueqed
Tue Mar 24 19:54:23 2020 VERIFY OK: depth=0, CN=server_im4K7RqIoJ3ueqed
Tue Mar 24 19:54:23 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit EC, curve: prime256v1
Tue Mar 24 19:54:23 2020 [server_im4K7RqIoJ3ueqed] Peer Connection Initiated with [AF_INET]192.168.1.200:1194
Tue Mar 24 19:54:24 2020 MANAGEMENT: >STATE:1585076064,GET_CONFIG,,,,,,
Tue Mar 24 19:54:24 2020 SENT CONTROL [server_im4K7RqIoJ3ueqed]: 'PUSH_REQUEST' (status=1)
Tue Mar 24 19:54:24 2020 AUTH: Received control message: AUTH_FAILED
Tue Mar 24 19:54:24 2020 SIGUSR1[soft,auth-failure] received, process restarting
Tue Mar 24 19:54:24 2020 MANAGEMENT: >STATE:1585076064,RECONNECTING,auth-failure,,,,,
Tue Mar 24 19:54:24 2020 Restart pause, 5 second(s)
Tue Mar 24 19:55:18 2020 MANAGEMENT: CMD 'username "Auth" "javi"'
Tue Mar 24 19:55:18 2020 MANAGEMENT: CMD 'password [...]'
Tue Mar 24 19:55:18 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]****
Tue Mar 24 19:55:18 2020 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Mar 24 19:55:18 2020 UDP link local: (not bound)
Tue Mar 24 19:55:18 2020 UDP link remote: [AF_INET****
Tue Mar 24 19:55:18 2020 MANAGEMENT: >STATE:1585076118,WAIT,,,,,,
Tue Mar 24 19:55:18 2020 MANAGEMENT: >STATE:1585076118,AUTH,,,,,,
Tue Mar 24 19:55:18 2020 TLS: Initial packet from [AF_INET]***4, sid=26ba12b1 eeb8467b
Tue Mar 24 19:55:18 2020 VERIFY OK: depth=1, CN=cn_mscZYhibMmwTJY7Z
Tue Mar 24 19:55:18 2020 VERIFY KU OK
Tue Mar 24 19:55:18 2020 Validating certificate extended key usage
Tue Mar 24 19:55:18 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Tue Mar 24 19:55:18 2020 VERIFY EKU OK
Tue Mar 24 19:55:18 2020 VERIFY X509NAME OK: CN=server_im4K7RqIoJ3ueqed
Tue Mar 24 19:55:18 2020 VERIFY OK: depth=0, CN=server_im4K7RqIoJ3ueqed
Tue Mar 24 19:55:18 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit EC, curve: prime256v1
Tue Mar 24 19:55:18 2020 [server_im4K7RqIoJ3ueqed] Peer Connection Initiated with [AF_INET]****
Tue Mar 24 19:55:19 2020 MANAGEMENT: >STATE:1585076119,GET_CONFIG,,,,,,
Tue Mar 24 19:55:19 2020 SENT CONTROL [server_im4K7RqIoJ3ueqed]: 'PUSH_REQUEST' (status=1)
Tue Mar 24 19:55:19 2020 AUTH: Received control message: AUTH_FAILED
Tue Mar 24 19:55:19 2020 SIGUSR1[soft,auth-failure] received, process restarting
Tue Mar 24 19:55:19 2020 MANAGEMENT: >STATE:1585076119,RECONNECTING,auth-failure,,,,,
Tue Mar 24 19:55:19 2020 Restart pause, 5 second(s)
ThomasHabets commented 4 years ago

Looking through old bug #95 I found that the solution there is to do:

plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD"

Try that (but with your path, obviously)

ghost commented 4 years ago

Mirando a través del viejo error # 95 , encontré que la solución que hay que hacer:

plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD"

Intenta eso (pero con tu camino, obviamente)

works