Open harald25 opened 2 years ago
Did you try the secret=
option to the secrets somewhere outside of /home
, just in case there's some security thing preventing /home
files?
Did you try the
secret=
option to the secrets somewhere outside of/home
, just in case there's some security thing preventing/home
files?
I did. I can see that the new path was picked up, because it changes in the log, but still the same access problem.
But, I just found out that starting OpenVPN "manually" from the command line as root fixes the problem. Letting systemctl start openvpn as a service results in this problem. I also discovered this in /var/log/audit/audit.log when I try logging in and it fails:
type=USER_AUTH msg=audit(1648722591.384:104370): pid=83667 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="harald25" exe="/usr/sbin/openvpn" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
Which changes to this when I run as root and logging in works:
type=USER_AUTH msg=audit(1648722789.804:104388): pid=83789 uid=0 auid=0 ses=3440 msg='op=PAM:authentication grantors=pam_google_authenticator,pam_sss acct="harald25" exe="/usr/sbin/openvpn" hostname=fqdn.somedomain.com addr=? terminal=pts/2 res=success'^]UID="root" AUID="root"
So I guess this is not a problem with google-authenticator-libpam, and rather something to do with how OpenVPN is set up.
Yeah, sounds like it.
You could have whatever the non-root user is own all the secret
files. Could work.
Did you try the
secret=
option to the secrets somewhere outside of/home
, just in case there's some security thing preventing/home
files?
I did try this, and concluded it also didn't work. But I did sloppy work it seems. I've created a new folder under root (/googlemfa) and placed user directories with secret files there, and google_authenticator_libpam is able to read them now. I'd still like to understand why I'm getting permission problems in the home folder.
This is probably caused by your OpenVPN systemd unit having a protecthome option set. This is very difficult to debug.
This is probably caused by your OpenVPN systemd unit having a protecthome option set. This is very difficult to debug.
Just to say that I had the exact same problem after upgrading OpenVPN on an Ubuntu Server, and your hint helped me fixing the issue.
My systemd unit (/lib/systemd/system/openvpn-server@.service
in my case) was upgraded with the option
ProtectHome=true
I've edited it to
ProtectHome=false
then reloaded demon
systemctl daemon-reload
and restarted OpenVPN
systemctl restart openvpn-server@server.service
Now the problem is gone.
Hi. I'm trying to set up MFA with google authenticator for OpenVPN on a newly installed Oracle Linux 8 server. This setup is exactly the same as for 4 other servers I've set up earlier with CentOS 8. Meaning that four more or less identical setups with, as far as I can tell, identical permissions on Centos8 is working without problems.
When I try to log in, I get this in the journald log. Same problem for all users I've tried.
'ls -la /home/harald25/.google_authenticator' give me:
'ls -l /home' gives:
SELinux is disabled. The home directory is not encrypted. Changing permissions on home folder and secret file to 777 gives the exact same error. Not even a mention about permissions being too permissive.
Version:
dnf list installed | grep google
google-authenticator.x86_64 1.07-1.el8 @ol8_developer_EPEL
I'm using the OpenVPN pam plugin (from /etc/openvpn/server/mfa_udp.conf):
The OpenVPN PAM config file looks like this:
Changing it to this works:
So I know that the authentication with FreeIPA via SSS is working correctly.
I'm not sure where to proceed from here. Any tips will be greatly appreciated!