Libpam with OpenVPN on Ubuntu 18.04

[mandarsh]

Ubuntu Version: 18.04 OpenVPN Version: 2.4.4 google-authenticator-libpam Version: Ubuntu pacakge version 20170702-1 (Which appears to be created from git hash 00065df)

I'm trying to set up 2fa with OpenVPN using google authenticator. In the OpenVPN server config I have the following line:

plugin /usr/lib/x86_64-linux-gnu/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

Then in /etc/pam.d/openvpn I have:

auth required /lib/x86_64-linux-gnu/security/pam_google_authenticator.so

When I try logging into the openvpn server I see the following error in /var/auth.log:

openvpn(pam_google_authenticator)[20005]: Failed to read "/home/david/.google_authenticator" for "david"

Doing a ls -l on /home/david/.google_authenticator:

-r-------- 1 david users 129 May 22 19:19 /home/david/.google_authenticator

From doing a strace on the openvpn process, I see:

setfsuid(1002) = 0 setfsuid(1002) = 1002 openat(AT_FDCWD, "/home/david/.google_authenticator", O_RDONLY) = -1 EACCES (Permission denied)

Ok so for some reason due to permissions, it can't access the file even though user id 1002 corresponds to the user david.

Also I have google authenticator pam module set up with ssh. When I try connecting through SSH, it works just fine. Here's the strace from sshd:

[pid 20034] setfsuid(1002) = 0 [pid 20034] setfsuid(1002) = 1002 [pid 20034] openat(AT_FDCWD, "/home/david/.google_authenticator", O_RDONLY) = 4

I have no idea why the openat system call fails from the openvpn process.

[ThomasHabets]

Could be some SELinux thing. Try turning it off and see if it helps.

It should work, in general. https://github.com/google/google-authenticator-libpam/issues/95

[rinini]

I had the same issue. Ubuntu 18.04 uses a systemd script which does not work well with google authenticator out of the box. You need to change 2 things in the systemd script /lib/systemd/system/openvpn@.service :

• First you need to change the ProtectHome= directive to false. This is set to true out of the box, denying access to /home directories (and more) hence the permission denied error
• Secondly, you need to add CAP_AUDIT_WRITE as capability to the CapabilityBoundingSet directive as described here https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1511524

These steps made it work for me.

[ThomasHabets]

I don't know how ProtectHome works, but possibly another option is to set the secret=/etc/ga/$USER/conf to store the secret files outside of /home.

[pol]

@ThomasHabets is on the right track, I think. It's safer to move the secrets to a different location than to unprotect $HOME. Also, in my case, it allows you to more easily decouple usernames from user home directories (if the user's home is not /home/$USER, then ga doesn't know where to find it, but if you are explicitly saving all secrets in /etc/ga/$USER/conf, then that isn't an issue).