search

google / google-authenticator-libpam

Apache License 2.0
1.75k stars 280 forks source link

TLS Auth Error: Auth Username/Password verification failed for peer #201

Closed zhaowei2021 closed 2 years ago

zhaowei2021 commented 2 years ago 
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 TLS: Initial packet from [AF_INET]10.0.19.205:41003, sid=e7ffb72f 89700f4e
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 VERIFY OK: depth=1, C=CN, ST=BeiJing, L=BJ, O=volcano-force, OU=volcano-force, CN=volcano-force, name=volcano-force, emailAddress=it@volcano-force.cn
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 VERIFY OK: depth=0, C=CN, ST=BeiJing, L=BJ, O=volcano-force, OU=volcano-force, CN=client, name=volcano-force, emailAddress=it@volcano-force.cn
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 peer info: IV_VER=3.git::662eae9a:Release
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 peer info: IV_PLAT=android
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 peer info: IV_NCP=2
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 peer info: IV_TCPNL=1
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 peer info: IV_PROTO=2
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 peer info: IV_LZO_STUB=1
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 peer info: IV_COMP_STUB=1
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 peer info: IV_COMP_STUBv2=1
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 peer info: IV_GUI_VER=net.openvpn.connect.android_3.2.5-7182
Fri Aug  6 15:00:53 2021 10.0.19.205:41003 peer info: IV_SSO=openurl
**AUTH-PAM: BACKGROUND: user 'zhaowei' failed to authenticate: Authentication failure**
Fri Aug  6 15:00:54 2021 10.0.19.205:41003 PLUGIN_CALL: POST /opt/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Fri Aug  6 15:00:54 2021 10.0.19.205:41003 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /opt/openvpn/openvpn-auth-pam.so
**Fri Aug  6 15:00:54 2021 10.0.19.205:41003 TLS Auth Error: Auth Username/Password verification failed for peer
Fri Aug  6 15:00:54 2021 10.0.19.205:41003 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #8 / time = (1628233252) Fri Aug  6 15:00:52 2021 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Fri Aug  6 15:00:54 2021 10.0.19.205:41003 TLS Error: incoming packet authentication failed from [AF_INET]10.0.19.205:41003**
Fri Aug  6 15:00:54 2021 10.0.19.205:41003 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Fri Aug  6 15:00:54 2021 10.0.19.205:41003 [client] Peer Connection Initiated with [AF_INET]10.0.19.205:41003
Fri Aug  6 15:00:54 2021 10.0.19.205:41003 PUSH: Received control message: 'PUSH_REQUEST'
Fri Aug  6 15:00:54 2021 10.0.19.205:41003 Delayed exit in 5 seconds
Fri Aug  6 15:00:54 2021 10.0.19.205:41003 SENT CONTROL [client]: 'AUTH_FAILED' (status=1)
Fri Aug  6 15:00:59 2021 10.0.19.205:41003 SIGTERM[soft,delayed-exit] received, client-instance exiting
ThomasHabets commented 2 years ago

ok? This needs way more information, such as config (both PAM and openvpn), and how password was entered. And debug logs.

zhaowei2021 commented 2 years ago

好的?这需要更多的信息,例如配置(PAM 和 openvpn)以及如何输入密码。和调试日志。

My openvpn server.conf: local 10.0.4.138 port 1194 proto udp dev tun topology subnet ca keys/ca.crt cert keys/server.crt key keys/server.key dh keys/dh2048.pem tls-auth keys/ta.key 0 server 172.16.251.0 255.255.255.0 push "route 10.8.0.0 255.255.0.0" keepalive 10 120 comp-lzo persist-key persist-tun cipher AES-256-CBC verb 3 status logs/openvpn-status.log log logs/openvpn.log log-append logs/openvpn.log plugin /opt/openvpn/openvpn-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP" reneg-sec 0 username-as-common-name

client.conf: client dev tun proto udp remote 10.0.4.138 1194 resolv-retry infinite remote-random nobind persist-key persist-tun ca ca.crt cipher AES-256-CBC auth-user-pass auth-nocache remote-cert-tls server comp-lzo static-challenge "Enter Google Authenticator Token" 1 reneg-sec 0

pam conf: auth required pam_google_authenticator.so user=root secret=/export/data/google_auth/${USER} authtok_prompt=pin auth [success=1 default=ignore] pam_unix.so nullok_secure

Thanks

zhaowei2021 commented 2 years ago

好的?这需要更多的信息,例如配置(PAM 和 openvpn)以及如何输入密码。和调试日志。

/var/log/secure Aug 6 15:40:27 localhost openvpn(pam_google_auth)[14219]: debug: start of google_authenticator for "zhaowei" Aug 6 15:40:27 localhost openvpn(pam_google_auth)[14219]: debug: Secret file permissions are 0600. Allowed permissions are 0600 Aug 6 15:40:27 localhost openvpn(pam_google_auth)[14219]: debug: "/export/data/google_auth/zhaowei" read Aug 6 15:40:27 localhost openvpn(pam_google_auth)[14219]: debug: shared secret in "/export/data/google_auth/zhaowei" processed Aug 6 15:40:27 localhost openvpn(pam_google_auth)[14219]: debug: google_authenticator for host "(null)" Aug 6 15:40:27 localhost openvpn(pam_google_auth)[14219]: Invalid verification code for zhaowei Aug 6 15:40:27 localhost openvpn(pam_google_auth)[14219]: debug: end of google_authenticator for "zhaowei". Result: Authentication failure Aug 6 15:40:27 localhost openvpn[14219]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=zhaowei