[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] openvpn-auth-pam.so together with pam_access.so broken if openvpn is daemonized


  • Subject: [Openvpn-users] openvpn-auth-pam.so together with pam_access.so broken if openvpn is daemonized
  • From: Volker Sauer <volker@xxxxxxxxxxxxxxx>
  • Date: Tue, 4 Dec 2007 09:13:49 +0100

Hi,

here's a strange behaviour of openvpn-auth-pam.so in openvpn-2.0.9-4:

If I run openvpn from the shell without daemonizing it, openvpn-auth-pam.so
works well even with pam_access.so enabled.

My openvpn config contains:
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn

/etc/pam.d/openvpn is like this:
# Standard Un*x authentication.
@include common-auth
account  required       pam_access.so
# Standard Un*x account and session
@include common-account
@include common-session
@include common-password

which enabled me to grant or deny access by /etc/security/access.conf:
+:root vsauer:ALL
-:ALL:ALL

As I already said, this perfectly works when openvpn is not daemonized.


*If* openvpn *is* daemonized, I get:

Dec  3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]:
130.83.208.238:32771 PLUGIN_CALL: PRE type=PLUGIN_AUTH_USER_PASS_VERIFY

Dec  3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]:
130.83.208.238:32771 ARGV[0] = '/usr/lib/openvpn/openvpn-auth-pam.so'

Dec  3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]:
130.83.208.238:32771 ENVP[0] = 'untrusted_port=32771'

Dec  3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]:
130.83.208.238:32771 ENVP[1] = 'untrusted_ip=130.83.208.238'

Dec  3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]:
130.83.208.238:32771 ENVP[2] = 'password=XXXXXXXXXXX'

Dec  3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]:
130.83.208.238:32771 NOTE: --mute triggered...

Dec  3 23:58:23 suez ovpn-01-default-dvs1_bridging-port_53[1421]:
130.83.208.238:32771 11 variation(s) on previous 5 message(s) suppressed
by --mute

Dec  3 23:58:23 suez ovpn-01-default-dvs1_bridging-port_53[1421]:
130.83.208.238:32771 PLUGIN_CALL: POST
/usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY
status=1

Dec  3 23:58:23 suez ovpn-01-default-dvs1_bridging-port_53[1421]:
130.83.208.238:32771 PLUGIN_CALL: plugin function
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
/usr/lib/openvpn/openvpn-auth-pam.so

Dec  3 23:58:23 suez ovpn-01-default-dvs1_bridging-port_53[1421]:
130.83.208.238:32771 TLS Auth Error: Auth Username/Password verification
failed for peer


Removing "account  required       pam_access.so" from /etc/pam.d/openvpn
solves the problem, but disables me to limit access to certain
nis-groups, which is not good. 

I looked into the source code of openvpn-auth-pam.so and I see, that
there's a method 

static void daemonize (const char *envp[])

which seems to be called when openvpn is daemonized. But I don't
understand it.

Maybe someone could give me a hint what's going on here?

Regards
Volker

Attachment: signature.asc
Description: Digital signature