ThomasHabets
commented
2 years ago Did you try the secret= option to the secrets somewhere outside of /home, just in case there's some security thing preventing /home files?
Open harald25 opened 2 years ago
ThomasHabets
commented
2 years ago Did you try the secret= option to the secrets somewhere outside of /home, just in case there's some security thing preventing /home files?
harald25
commented
2 years ago Did you try the
secret=option to the secrets somewhere outside of/home, just in case there's some security thing preventing/homefiles?
I did. I can see that the new path was picked up, because it changes in the log, but still the same access problem.
But, I just found out that starting OpenVPN "manually" from the command line as root fixes the problem. Letting systemctl start openvpn as a service results in this problem. I also discovered this in /var/log/audit/audit.log when I try logging in and it fails:
type=USER_AUTH msg=audit(1648722591.384:104370): pid=83667 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="harald25" exe="/usr/sbin/openvpn" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"
Which changes to this when I run as root and logging in works:
type=USER_AUTH msg=audit(1648722789.804:104388): pid=83789 uid=0 auid=0 ses=3440 msg='op=PAM:authentication grantors=pam_google_authenticator,pam_sss acct="harald25" exe="/usr/sbin/openvpn" hostname=fqdn.somedomain.com addr=? terminal=pts/2 res=success'^]UID="root" AUID="root"
So I guess this is not a problem with google-authenticator-libpam, and rather something to do with how OpenVPN is set up.
ThomasHabets
commented
2 years ago Yeah, sounds like it.
You could have whatever the non-root user is own all the secret files. Could work.
harald25
commented
2 years ago Did you try the
secret=option to the secrets somewhere outside of/home, just in case there's some security thing preventing/homefiles?
I did try this, and concluded it also didn't work. But I did sloppy work it seems. I've created a new folder under root (/googlemfa) and placed user directories with secret files there, and google_authenticator_libpam is able to read them now. I'd still like to understand why I'm getting permission problems in the home folder.
brandonk10
commented
2 years ago This is probably caused by your OpenVPN systemd unit having a protecthome option set. This is very difficult to debug.
il-mix
commented
3 months ago This is probably caused by your OpenVPN systemd unit having a protecthome option set. This is very difficult to debug.
Just to say that I had the exact same problem after upgrading OpenVPN on an Ubuntu Server, and your hint helped me fixing the issue.
My systemd unit (/lib/systemd/system/openvpn-server@.service in my case) was upgraded with the option
ProtectHome=true
I've edited it to
ProtectHome=false
then reloaded demon
systemctl daemon-reload
and restarted OpenVPN
systemctl restart openvpn-server@server.service
Now the problem is gone.
Hi. I'm trying to set up MFA with google authenticator for OpenVPN on a newly installed Oracle Linux 8 server. This setup is exactly the same as for 4 other servers I've set up earlier with CentOS 8. Meaning that four more or less identical setups with, as far as I can tell, identical permissions on Centos8 is working without problems.
When I try to log in, I get this in the journald log. Same problem for all users I've tried.
'ls -la /home/harald25/.google_authenticator' give me:
'ls -l /home' gives:
SELinux is disabled. The home directory is not encrypted. Changing permissions on home folder and secret file to 777 gives the exact same error. Not even a mention about permissions being too permissive.
Version:
dnf list installed | grep googlegoogle-authenticator.x86_64 1.07-1.el8 @ol8_developer_EPELI'm using the OpenVPN pam plugin (from /etc/openvpn/server/mfa_udp.conf):
The OpenVPN PAM config file looks like this:
Changing it to this works:
So I know that the authentication with FreeIPA via SSS is working correctly.
I'm not sure where to proceed from here. Any tips will be greatly appreciated!