Closed VN1977 closed 3 years ago
Mode was always set to 0400, so that shouldn't be a problem.
Grace period is not written in a different way from anything else.
Strange.
Failed to store grace_period timestamp in config
is not output when a file fails to be written, but if the config fails to update in memory.
Enable debug and see if you get anything more interesting. Including what's logged as rhost by this code.
Enabled debug
Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: start of google_authenticator for "user" Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: Secret file permissions are 0400. Allowed permissions are 0600 Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: "/home/domain.local/user/.google_authenticator" read Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: shared secret in "/home/domain.local/user/.google_authenticator" processed Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: google_authenticator for host "(null)" Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: no scratch code used from "/home/domain.local/user/.google_authenticator" Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: Accepted google_authenticator for user Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: google_authenticator for host "(null)" Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: Failed to store grace_period timestamp in config Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: "/home/domain.local/user/.google_authenticator" written Apr 14 16:18:20 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: end of google_authenticator for "user". Result: Success
Apr 14 16:18:41 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: start of google_authenticator for "user" Apr 14 16:18:41 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: Secret file permissions are 0400. Allowed permissions are 0600 Apr 14 16:18:41 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: "/home/domain.local/user/.google_authenticator" read Apr 14 16:18:41 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: shared secret in "/home/domain.local/user/.google_authenticator" processed Apr 14 16:18:41 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: google_authenticator for host "(null)" Apr 14 16:18:41 ovpn-2fa openvpn(pam_google_auth)[16903]: Invalid verification code for user Apr 14 16:18:41 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: "/home/domain.local/user/.google_authenticator" written Apr 14 16:18:41 ovpn-2fa openvpn(pam_google_auth)[16903]: debug: end of google_authenticator for "user". Result: Authentication failure
Enable debug and see if you get anything more interesting. Including what's logged as rhost by this code.
Seems to me that nothing
Oh I see. It seems that openvpn doesn't tell pam the address of the remote end (PAM_RHOST).
That seems like a bug in openvpn, that prevents grace_period
from working. Obviously it needs this information.
The problem really was in openvpn plugin but I didn't find the way to create the issue there. So I compiled the plugin for version 2.4.10 to support returning PAM_RHOST. File in attach, maybe it helps somebody. openvpn-plugin-auth-pam.zip All changes I made in sources were published here.
Hi, We use last fresh Centos 7 and disabled Selinux. We installed google-authenticator-libpam and generated .google_authenticator for a test user. Default permissions for this file is 0400 despite my umask 0022. We tested authentication with OpenVPN, everything OK. But then we decided to test option grace_period. And got the error:
Failed to store grace_period timestamp in config
It's because if 0400 instead of 0600 as wrote in documentation. I changed permission for .google_authenticator to 0600 and tried again but the same error in /var/log/secure. And I was suprissed that permission for the file was reverted back to 0400. I tried the same on another Centos 7, then on Ubuntu 18 but with the same result. Default permission is 0400 and is restored to it if change to 0600 and connect. How to solve the problem and use grace_period?