[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]

Re: [Openvpn-users] Re: openvpn-auth-pam.so problem

Subject: Re: [Openvpn-users] Re: openvpn-auth-pam.so problem
From: Gavin Chappell <G.A.Chappell@xxxxxxxxxxx>
Date: Thu, 01 Jun 2006 08:42:06 +0100

Giancarlo Razzolini wrote:

First, try increasing the verbosity to a number grater or equal than 7.
Then the auth-pam plugin will be much more verbose with you. Then take a
look at the logs, they will surely help you. If not, then try creating a
 separate service entry for openvpn in the /etc/pam.d directory,
pointing to system-auth. And thirdly you might want to take a look an a
plugin i developed for openvpn that authenticate users from shadow:
http://auth-passwd.sourceforge.net

Try it if you are authenticating plain unix users. If you are using pam
to authenticate users on an ldap directory, or nis, then keep using the
auth-pam plugin. If all of above doesn't solve your situation, then
paste your log here (with verbosity grater or equal to 7).

OK, I've attached a log with verbosity set to 7 (I hope this mailing list can cope with attachments, if not then let me know and I'll upload it somewhere). While it gives me plenty of information about the OpenVPN process, I still only seem to get two lines regarding the PAM plugin.

Thanks for the link to your plugin, this may do what I want for now, although ultimately it might be nice if I could authenticate either against our departmental eDirectory system, or the campus wide Active Directory (means people only have one password to remember!).

I assume that if I use your plugin, I can stop the users actually SSHing to the VPN server by just giving them a /sbin/nologin shell?

Thanks,
Gavin

Jun  1 08:27:44 el03 openvpn[20853]: Current Parameter Settings:
Jun  1 08:27:44 el03 openvpn[20853]:   config = 'eleceng.conf'
Jun  1 08:27:44 el03 openvpn[20853]:   mode = 1
Jun  1 08:27:44 el03 openvpn[20853]:   persist_config = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   persist_mode = 1
Jun  1 08:27:44 el03 openvpn[20853]:   show_ciphers = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   show_digests = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   show_engines = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   genkey = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   key_pass_file = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   show_tls_ciphers = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   proto = 0
Jun  1 08:27:44 el03 openvpn[20853]:   local = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   remote_list = NULL
Jun  1 08:27:44 el03 openvpn[20853]:   remote_random = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   local_port = 1194
Jun  1 08:27:44 el03 openvpn[20853]:   remote_port = 1194
Jun  1 08:27:44 el03 openvpn[20853]:   remote_float = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   ipchange = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   bind_local = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   dev = 'tun'
Jun  1 08:27:44 el03 openvpn[20853]:   dev_type = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   dev_node = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   tun_ipv6 = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_local = '10.89.1.1'
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_remote_netmask = '10.89.1.2'
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_noexec = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_nowarn = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   shaper = 0
Jun  1 08:27:44 el03 openvpn[20853]:   tun_mtu = 1500
Jun  1 08:27:44 el03 openvpn[20853]:   tun_mtu_defined = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   link_mtu = 1500
Jun  1 08:27:44 el03 openvpn[20853]:   link_mtu_defined = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   tun_mtu_extra = 0
Jun  1 08:27:44 el03 openvpn[20853]:   tun_mtu_extra_defined = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   fragment = 0
Jun  1 08:27:44 el03 openvpn[20853]:   mtu_discover_type = -1
Jun  1 08:27:44 el03 openvpn[20853]:   mtu_test = 0
Jun  1 08:27:44 el03 openvpn[20853]:   mlock = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   keepalive_ping = 10
Jun  1 08:27:44 el03 openvpn[20853]:   keepalive_timeout = 60
Jun  1 08:27:44 el03 openvpn[20853]:   inactivity_timeout = 0
Jun  1 08:27:44 el03 openvpn[20853]:   ping_send_timeout = 10
Jun  1 08:27:44 el03 openvpn[20853]:   ping_rec_timeout = 120
Jun  1 08:27:44 el03 openvpn[20853]:   ping_rec_timeout_action = 2
Jun  1 08:27:44 el03 openvpn[20853]:   ping_timer_remote = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   remap_sigusr1 = 0
Jun  1 08:27:44 el03 openvpn[20853]:   explicit_exit_notification = 0
Jun  1 08:27:44 el03 openvpn[20853]:   persist_tun = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   persist_local_ip = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   persist_remote_ip = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   persist_key = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   mssfix = 1450
Jun  1 08:27:44 el03 openvpn[20853]:   passtos = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   resolve_retry_seconds = 1000000000
Jun  1 08:27:44 el03 openvpn[20853]:   connect_retry_seconds = 5
Jun  1 08:27:44 el03 openvpn[20853]:   username = 'nobody'
Jun  1 08:27:44 el03 openvpn[20853]:   groupname = 'nobody'
Jun  1 08:27:44 el03 openvpn[20853]:   chroot_dir = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   cd_dir = '/etc/openvpn'
Jun  1 08:27:44 el03 openvpn[20853]:   writepid = '/var/run/openvpn/eleceng.pid'
Jun  1 08:27:44 el03 openvpn[20853]:   up_script = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   down_script = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   down_pre = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   up_restart = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   up_delay = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   daemon = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   inetd = 0
Jun  1 08:27:44 el03 openvpn[20853]:   log = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   suppress_timestamps = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   nice = 0
Jun  1 08:27:44 el03 openvpn[20853]:   verbosity = 7
Jun  1 08:27:44 el03 openvpn[20853]:   mute = 0
Jun  1 08:27:44 el03 openvpn[20853]:   gremlin = 0
Jun  1 08:27:44 el03 openvpn[20853]:   status_file = 'openvpn-status.log'
Jun  1 08:27:44 el03 openvpn[20853]:   status_file_version = 1
Jun  1 08:27:44 el03 openvpn[20853]:   status_file_update_freq = 60
Jun  1 08:27:44 el03 openvpn[20853]:   occ = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   rcvbuf = 65536
Jun  1 08:27:44 el03 openvpn[20853]:   sndbuf = 65536
Jun  1 08:27:44 el03 openvpn[20853]:   socks_proxy_server = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   socks_proxy_port = 0
Jun  1 08:27:44 el03 openvpn[20853]:   socks_proxy_retry = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   fast_io = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   comp_lzo = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   comp_lzo_adaptive = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   route_script = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   route_default_gateway = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   route_noexec = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   route_delay = 0
Jun  1 08:27:44 el03 openvpn[20853]:   route_delay_window = 30
Jun  1 08:27:44 el03 openvpn[20853]:   route_delay_defined = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   route 10.89.1.0/255.255.255.0/nil/nil
Jun  1 08:27:44 el03 openvpn[20853]:   management_addr = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   management_port = 0
Jun  1 08:27:44 el03 openvpn[20853]:   management_user_pass = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   management_log_history_cache = 250
Jun  1 08:27:44 el03 openvpn[20853]:   management_echo_buffer_size = 100
Jun  1 08:27:44 el03 openvpn[20853]:   management_query_passwords = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   management_hold = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   plugin[0] /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login'
Jun  1 08:27:44 el03 openvpn[20853]:   shared_secret_file = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   key_direction = 0
Jun  1 08:27:44 el03 openvpn[20853]:   ciphername_defined = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   ciphername = 'BF-CBC'
Jun  1 08:27:44 el03 openvpn[20853]:   authname_defined = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   authname = 'SHA1'
Jun  1 08:27:44 el03 openvpn[20853]:   keysize = 0
Jun  1 08:27:44 el03 openvpn[20853]:   engine = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   replay = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   mute_replay_warnings = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   replay_window = 64
Jun  1 08:27:44 el03 openvpn[20853]:   replay_time = 15
Jun  1 08:27:44 el03 openvpn[20853]:   packet_id_file = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   use_iv = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   test_crypto = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   tls_server = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   tls_client = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   key_method = 2
Jun  1 08:27:44 el03 openvpn[20853]:   ca_file = '/etc/openvpn/eleceng/keys/ca.crt'
Jun  1 08:27:44 el03 openvpn[20853]:   dh_file = '/etc/openvpn/eleceng/keys/dh2048.pem'
Jun  1 08:27:44 el03 openvpn[20853]:   cert_file = '/etc/openvpn/eleceng/keys/elec-vpnserver.crt'
Jun  1 08:27:44 el03 openvpn[20853]:   priv_key_file = '/etc/openvpn/eleceng/keys/elec-vpnserver.key'
Jun  1 08:27:44 el03 openvpn[20853]:   pkcs12_file = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   cipher_list = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   tls_verify = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   tls_remote = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   crl_file = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   ns_cert_type = 0
Jun  1 08:27:44 el03 openvpn[20853]:   tls_timeout = 2
Jun  1 08:27:44 el03 openvpn[20853]:   renegotiate_bytes = 0
Jun  1 08:27:44 el03 openvpn[20853]:   renegotiate_packets = 0
Jun  1 08:27:44 el03 openvpn[20853]:   renegotiate_seconds = 3600
Jun  1 08:27:44 el03 openvpn[20853]:   handshake_window = 60
Jun  1 08:27:44 el03 openvpn[20853]:   transition_window = 3600
Jun  1 08:27:44 el03 openvpn[20853]:   single_session = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   tls_exit = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   tls_auth_file = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   server_network = 10.89.1.0
Jun  1 08:27:44 el03 openvpn[20853]:   server_netmask = 255.255.255.0
Jun  1 08:27:44 el03 openvpn[20853]:   server_bridge_ip = 0.0.0.0
Jun  1 08:27:44 el03 openvpn[20853]:   server_bridge_netmask = 0.0.0.0
Jun  1 08:27:44 el03 openvpn[20853]:   server_bridge_pool_start = 0.0.0.0
Jun  1 08:27:44 el03 openvpn[20853]:   server_bridge_pool_end = 0.0.0.0
Jun  1 08:27:44 el03 openvpn[20853]:   push_list = 'edited to remove network info'
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_defined = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_start = 10.89.1.4
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_end = 10.89.1.251
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_netmask = 0.0.0.0
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_persist_filename = 'ipp.txt'
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_persist_refresh_freq = 600
Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_linear = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   n_bcast_buf = 256
Jun  1 08:27:44 el03 openvpn[20853]:   tcp_queue_limit = 64
Jun  1 08:27:44 el03 openvpn[20853]:   real_hash_size = 256
Jun  1 08:27:44 el03 openvpn[20853]:   virtual_hash_size = 256
Jun  1 08:27:44 el03 openvpn[20853]:   client_connect_script = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   learn_address_script = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   client_disconnect_script = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   client_config_dir = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   ccd_exclusive = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   tmp_dir = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   push_ifconfig_defined = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   push_ifconfig_local = 0.0.0.0
Jun  1 08:27:44 el03 openvpn[20853]:   push_ifconfig_remote_netmask = 0.0.0.0
Jun  1 08:27:44 el03 openvpn[20853]:   enable_c2c = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   duplicate_cn = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   cf_max = 0
Jun  1 08:27:44 el03 openvpn[20853]:   cf_per = 0
Jun  1 08:27:44 el03 openvpn[20853]:   max_clients = 50
Jun  1 08:27:44 el03 openvpn[20853]:   max_routes_per_client = 256
Jun  1 08:27:44 el03 openvpn[20853]:   client_cert_not_required = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   username_as_common_name = ENABLED
Jun  1 08:27:44 el03 openvpn[20853]:   auth_user_pass_verify_script = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]:   auth_user_pass_verify_script_via_file = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   client = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   pull = DISABLED
Jun  1 08:27:44 el03 openvpn[20853]:   auth_user_pass_file = '[UNDEF]'
Jun  1 08:27:44 el03 openvpn[20853]: OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
Jun  1 08:27:44 el03 openvpn[20853]: PLUGIN_INIT: PRE
Jun  1 08:27:44 el03 openvpn[20853]: ARGV[0] = '/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so'
Jun  1 08:27:44 el03 openvpn[20853]: ARGV[1] = 'login'
Jun  1 08:27:44 el03 openvpn[20853]: ENVP[0] = 'config=eleceng.conf'
Jun  1 08:27:44 el03 openvpn[20853]: ENVP[1] = 'proto=udp'
Jun  1 08:27:44 el03 openvpn[20853]: ENVP[2] = 'local_port=1194'
Jun  1 08:27:44 el03 openvpn[20853]: ENVP[3] = 'verb=7'
Jun  1 08:27:44 el03 openvpn[20853]: ENVP[4] = 'daemon=1'
Jun  1 08:27:44 el03 openvpn[20853]: ENVP[5] = 'daemon_log_redirect=0'
Jun  1 08:27:44 el03 openvpn[20853]: PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
Jun  1 08:27:44 el03 openvpn[20853]: PLUGIN_INIT: plugin initialization function failed: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
Jun  1 08:27:44 el03 openvpn[20853]: Exiting

Follow-Ups:
- Re: [Openvpn-users] Re: openvpn-auth-pam.so problem
  - From: Giancarlo Razzolini

Prev by Date: Re: [Openvpn-users] Site2Site - routing-problem (linux)
Next by Date: Re: [Openvpn-users] MULTI: bad source address from client, packet dropped
Previous by thread: Re: [Openvpn-users] Site2Site - routing-problem (linux)
Next by thread: Re: [Openvpn-users] Re: openvpn-auth-pam.so problem
Index(es):
- Date
- Thread