openvpn pam-mysql + google otp failure #53
Description
centos 7
openvpn: OpenVPN 2.4.6
server.conf
port 1194
proto tcp
dev tun
ca /etc/openvpn/certs/ca.crt
cert /etc/openvpn/certs/server.crt
key /etc/openvpn/certs/server.key
dh /etc/openvpn/certs/dh.pem
server 10.1.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 114.114.114.114"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log 10
status-version 2
log /var/log/openvpn.log
verb 3
plugin /etc/openvpn/openvpn-plugin-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
reneg-sec 0
client:
client
dev tun0
proto tcp
remote 10.0.12.36 1194
resolv-retry infinite
persist-key
persist-tun
ca ca.crt
nobind
auth-user-pass
reneg-sec 0
auth-nocache
comp-lzo
verb 4
pam for openvpn:
auth required pam_mysql.so user=xxx passwd=xxxx host=localhost db=xxx table=openvpn usercolumn=username passwdcolumn=password where=active=1 crypt=sha1 use_first_pass debug
auth required pam_google_authenticator.so secret=/etc/openvpn/google-auth/${USER} user=root echo_verification_code debug forward_pass no_increment_hotp
account required pam_permit.so debug
on client I user password + google code, failure, logs:
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - option debug is set to ""
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_close_db() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_sm_authenticate() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_open_db() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_open_db() returning 0.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_check_passwd() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_format_string() called
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_quick_escape() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - SELECT password FROM openvpn WHERE username = 'admin' AND (active=1)
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_check_passwd() returning 6.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_sql_log() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_sql_log() returning 0.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_sm_authenticate() returning 7.
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: start of google_authenticator for "admin"
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: "/etc/openvpn/google-auth/admin" read
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: shared secret in "/etc/openvpn/google-auth/admin" processed
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: Invalid verification code for admin
Feb 19 17:15:26 10.0.12.36 openvpn(pam_google_authenticator)[15876]: debug: "/etc/openvpn/google-auth/admin" written
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_release_ctx() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_destroy_ctx() called.
Feb 19 17:15:26 10.0.12.36 openvpn[15876]: pam_mysql - pam_mysql_close_db() called.
if I user command like:
pamtester openvpn admin authenticate
Password & verification code: xxxxxxxxx
pamtester: Authentication failure
failure log:
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - option debug is set to ""
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_close_db() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_sm_authenticate() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_open_db() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_open_db() returning 0.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_check_passwd() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_format_string() called
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_quick_escape() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - SELECT password FROM openvpn WHERE username = 'admin' AND (active=1)
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_check_passwd() returning 6.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_sql_log() called.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_mysql_sql_log() returning 0.
Feb 19 17:27:00 10.0.12.36 pamtester: pam_mysql - pam_sm_authenticate() returning 7.
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: start of google_authenticator for "admin"
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: Secret file permissions are 0400. Allowed permissions are 0600
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: "/etc/openvpn/google-auth/admin" read
Feb 19 17:27:00 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: shared secret in "/etc/openvpn/google-auth/admin" processed
Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: no scratch code used from "/etc/openvpn/google-auth/admin"
Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: Accepted google_authenticator for admin
Feb 19 17:27:08 10.0.12.36 openvpn(pam_google_authenticator)[16863]: debug: "/etc/openvpn/google-auth/admin" written
Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_release_ctx() called.
Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_destroy_ctx() called.
Feb 19 17:27:08 10.0.12.36 pamtester[16863]: pam_mysql - pam_mysql_close_db() called.
if remove auth required pam_mysql.so user......, openvpn is ok for google otp.
how to user username + password & google otp access openvpn ? thx