[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]
Re: [Openvpn-users] Re: openvpn-auth-pam.so problem

Subject: Re: [Openvpn-users] Re: openvpn-auth-pam.so problem
From: Giancarlo Razzolini <linux-fan@xxxxxxxxxxx>
Date: Thu, 01 Jun 2006 17:56:26 -0300
Gavin Chappell wrote:
> 
> OK, I've attached a log with verbosity set to 7 (I hope this mailing
> list can cope with attachments, if not then let me know and I'll upload
> it somewhere). While it gives me plenty of information about the OpenVPN
> process, I still only seem to get two lines regarding the PAM plugin.
Very strange. But try to do as i said, create a new service entry for
openvpn, like /etc/pam.d/openvpn with the following lines:
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth

This should do the trick.
> 
> Thanks for the link to your plugin, this may do what I want for now,
> although ultimately it might be nice if I could authenticate either
> against our departmental eDirectory system, or the campus wide Active
> Directory (means people only have one password to remember!).
I agree. I wrote the plugin mainly for 2 reasons:
1) Don't like much pam (it's cool, but it's a swiss cheese)
2) The OS my server is (OpenBSD) neither has support to pam, nor i want
to try to use it.

I'm in the process of writing another plugin, but to authenticate from
an LDAP directory. But, it's mostly a plan right know.
> 
> I assume that if I use your plugin, I can stop the users actually SSHing
> to the VPN server by just giving them a /sbin/nologin shell?
Yep. My plugin doesn't check for the shell.
> 
> Thanks,
> Gavin
> 
> 
> ------------------------------------------------------------------------
> 
> Jun  1 08:27:44 el03 openvpn[20853]: Current Parameter Settings:
> Jun  1 08:27:44 el03 openvpn[20853]:   config = 'eleceng.conf'
> Jun  1 08:27:44 el03 openvpn[20853]:   mode = 1
> Jun  1 08:27:44 el03 openvpn[20853]:   persist_config = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   persist_mode = 1
> Jun  1 08:27:44 el03 openvpn[20853]:   show_ciphers = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   show_digests = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   show_engines = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   genkey = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   key_pass_file = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   show_tls_ciphers = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   proto = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   local = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   remote_list = NULL
> Jun  1 08:27:44 el03 openvpn[20853]:   remote_random = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   local_port = 1194
> Jun  1 08:27:44 el03 openvpn[20853]:   remote_port = 1194
> Jun  1 08:27:44 el03 openvpn[20853]:   remote_float = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   ipchange = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   bind_local = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   dev = 'tun'
> Jun  1 08:27:44 el03 openvpn[20853]:   dev_type = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   dev_node = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   tun_ipv6 = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_local = '10.89.1.1'
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_remote_netmask = '10.89.1.2'
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_noexec = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_nowarn = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   shaper = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   tun_mtu = 1500
> Jun  1 08:27:44 el03 openvpn[20853]:   tun_mtu_defined = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   link_mtu = 1500
> Jun  1 08:27:44 el03 openvpn[20853]:   link_mtu_defined = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   tun_mtu_extra = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   tun_mtu_extra_defined = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   fragment = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   mtu_discover_type = -1
> Jun  1 08:27:44 el03 openvpn[20853]:   mtu_test = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   mlock = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   keepalive_ping = 10
> Jun  1 08:27:44 el03 openvpn[20853]:   keepalive_timeout = 60
> Jun  1 08:27:44 el03 openvpn[20853]:   inactivity_timeout = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   ping_send_timeout = 10
> Jun  1 08:27:44 el03 openvpn[20853]:   ping_rec_timeout = 120
> Jun  1 08:27:44 el03 openvpn[20853]:   ping_rec_timeout_action = 2
> Jun  1 08:27:44 el03 openvpn[20853]:   ping_timer_remote = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   remap_sigusr1 = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   explicit_exit_notification = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   persist_tun = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   persist_local_ip = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   persist_remote_ip = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   persist_key = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   mssfix = 1450
> Jun  1 08:27:44 el03 openvpn[20853]:   passtos = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   resolve_retry_seconds = 1000000000
> Jun  1 08:27:44 el03 openvpn[20853]:   connect_retry_seconds = 5
> Jun  1 08:27:44 el03 openvpn[20853]:   username = 'nobody'
> Jun  1 08:27:44 el03 openvpn[20853]:   groupname = 'nobody'
> Jun  1 08:27:44 el03 openvpn[20853]:   chroot_dir = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   cd_dir = '/etc/openvpn'
> Jun  1 08:27:44 el03 openvpn[20853]:   writepid = '/var/run/openvpn/eleceng.pid'
> Jun  1 08:27:44 el03 openvpn[20853]:   up_script = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   down_script = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   down_pre = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   up_restart = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   up_delay = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   daemon = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   inetd = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   log = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   suppress_timestamps = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   nice = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   verbosity = 7
> Jun  1 08:27:44 el03 openvpn[20853]:   mute = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   gremlin = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   status_file = 'openvpn-status.log'
> Jun  1 08:27:44 el03 openvpn[20853]:   status_file_version = 1
> Jun  1 08:27:44 el03 openvpn[20853]:   status_file_update_freq = 60
> Jun  1 08:27:44 el03 openvpn[20853]:   occ = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   rcvbuf = 65536
> Jun  1 08:27:44 el03 openvpn[20853]:   sndbuf = 65536
> Jun  1 08:27:44 el03 openvpn[20853]:   socks_proxy_server = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   socks_proxy_port = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   socks_proxy_retry = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   fast_io = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   comp_lzo = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   comp_lzo_adaptive = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   route_script = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   route_default_gateway = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   route_noexec = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   route_delay = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   route_delay_window = 30
> Jun  1 08:27:44 el03 openvpn[20853]:   route_delay_defined = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   route 10.89.1.0/255.255.255.0/nil/nil
> Jun  1 08:27:44 el03 openvpn[20853]:   management_addr = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   management_port = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   management_user_pass = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   management_log_history_cache = 250
> Jun  1 08:27:44 el03 openvpn[20853]:   management_echo_buffer_size = 100
> Jun  1 08:27:44 el03 openvpn[20853]:   management_query_passwords = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   management_hold = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   plugin[0] /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login'
> Jun  1 08:27:44 el03 openvpn[20853]:   shared_secret_file = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   key_direction = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   ciphername_defined = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   ciphername = 'BF-CBC'
> Jun  1 08:27:44 el03 openvpn[20853]:   authname_defined = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   authname = 'SHA1'
> Jun  1 08:27:44 el03 openvpn[20853]:   keysize = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   engine = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   replay = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   mute_replay_warnings = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   replay_window = 64
> Jun  1 08:27:44 el03 openvpn[20853]:   replay_time = 15
> Jun  1 08:27:44 el03 openvpn[20853]:   packet_id_file = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   use_iv = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   test_crypto = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   tls_server = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   tls_client = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   key_method = 2
> Jun  1 08:27:44 el03 openvpn[20853]:   ca_file = '/etc/openvpn/eleceng/keys/ca.crt'
> Jun  1 08:27:44 el03 openvpn[20853]:   dh_file = '/etc/openvpn/eleceng/keys/dh2048.pem'
> Jun  1 08:27:44 el03 openvpn[20853]:   cert_file = '/etc/openvpn/eleceng/keys/elec-vpnserver.crt'
> Jun  1 08:27:44 el03 openvpn[20853]:   priv_key_file = '/etc/openvpn/eleceng/keys/elec-vpnserver.key'
> Jun  1 08:27:44 el03 openvpn[20853]:   pkcs12_file = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   cipher_list = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   tls_verify = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   tls_remote = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   crl_file = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   ns_cert_type = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   tls_timeout = 2
> Jun  1 08:27:44 el03 openvpn[20853]:   renegotiate_bytes = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   renegotiate_packets = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   renegotiate_seconds = 3600
> Jun  1 08:27:44 el03 openvpn[20853]:   handshake_window = 60
> Jun  1 08:27:44 el03 openvpn[20853]:   transition_window = 3600
> Jun  1 08:27:44 el03 openvpn[20853]:   single_session = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   tls_exit = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   tls_auth_file = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   server_network = 10.89.1.0
> Jun  1 08:27:44 el03 openvpn[20853]:   server_netmask = 255.255.255.0
> Jun  1 08:27:44 el03 openvpn[20853]:   server_bridge_ip = 0.0.0.0
> Jun  1 08:27:44 el03 openvpn[20853]:   server_bridge_netmask = 0.0.0.0
> Jun  1 08:27:44 el03 openvpn[20853]:   server_bridge_pool_start = 0.0.0.0
> Jun  1 08:27:44 el03 openvpn[20853]:   server_bridge_pool_end = 0.0.0.0
> Jun  1 08:27:44 el03 openvpn[20853]:   push_list = 'edited to remove network info'
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_defined = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_start = 10.89.1.4
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_end = 10.89.1.251
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_netmask = 0.0.0.0
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_persist_filename = 'ipp.txt'
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_persist_refresh_freq = 600
> Jun  1 08:27:44 el03 openvpn[20853]:   ifconfig_pool_linear = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   n_bcast_buf = 256
> Jun  1 08:27:44 el03 openvpn[20853]:   tcp_queue_limit = 64
> Jun  1 08:27:44 el03 openvpn[20853]:   real_hash_size = 256
> Jun  1 08:27:44 el03 openvpn[20853]:   virtual_hash_size = 256
> Jun  1 08:27:44 el03 openvpn[20853]:   client_connect_script = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   learn_address_script = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   client_disconnect_script = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   client_config_dir = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   ccd_exclusive = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   tmp_dir = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   push_ifconfig_defined = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   push_ifconfig_local = 0.0.0.0
> Jun  1 08:27:44 el03 openvpn[20853]:   push_ifconfig_remote_netmask = 0.0.0.0
> Jun  1 08:27:44 el03 openvpn[20853]:   enable_c2c = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   duplicate_cn = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   cf_max = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   cf_per = 0
> Jun  1 08:27:44 el03 openvpn[20853]:   max_clients = 50
> Jun  1 08:27:44 el03 openvpn[20853]:   max_routes_per_client = 256
> Jun  1 08:27:44 el03 openvpn[20853]:   client_cert_not_required = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   username_as_common_name = ENABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   auth_user_pass_verify_script = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]:   auth_user_pass_verify_script_via_file = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   client = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   pull = DISABLED
> Jun  1 08:27:44 el03 openvpn[20853]:   auth_user_pass_file = '[UNDEF]'
> Jun  1 08:27:44 el03 openvpn[20853]: OpenVPN 2.0.7 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Apr 29 2006
> Jun  1 08:27:44 el03 openvpn[20853]: PLUGIN_INIT: PRE
> Jun  1 08:27:44 el03 openvpn[20853]: ARGV[0] = '/usr/share/openvpn/plugin/lib/openvpn-auth-pam.so'
> Jun  1 08:27:44 el03 openvpn[20853]: ARGV[1] = 'login'
> Jun  1 08:27:44 el03 openvpn[20853]: ENVP[0] = 'config=eleceng.conf'
> Jun  1 08:27:44 el03 openvpn[20853]: ENVP[1] = 'proto=udp'
> Jun  1 08:27:44 el03 openvpn[20853]: ENVP[2] = 'local_port=1194'
> Jun  1 08:27:44 el03 openvpn[20853]: ENVP[3] = 'verb=7'
> Jun  1 08:27:44 el03 openvpn[20853]: ENVP[4] = 'daemon=1'
> Jun  1 08:27:44 el03 openvpn[20853]: ENVP[5] = 'daemon_log_redirect=0'
> Jun  1 08:27:44 el03 openvpn[20853]: PLUGIN_INIT: POST /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so 'login' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY
> Jun  1 08:27:44 el03 openvpn[20853]: PLUGIN_INIT: plugin initialization function failed: /usr/share/openvpn/plugin/lib/openvpn-auth-pam.so
> Jun  1 08:27:44 el03 openvpn[20853]: Exiting


-- 
Giancarlo Razzolini
Linux User 172199
Moleque Sem Conteudo Numero #002
Slackware Current
OpenBSD Stable
Snike Tecnologia em Informática
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85
Attachment: signature.asc
Description: OpenPGP digital signature
Follow-Ups:
- Re: [Openvpn-users] openvpn-auth-pam.so problem
  - From: Gavin Chappell
References:
- Re: [Openvpn-users] Re: openvpn-auth-pam.so problem
  - From: Gavin Chappell
Prev by Date: [Openvpn-users] Re: Own DNS system on company intranet?
Next by Date: Re: [Openvpn-users] Own DNS system on company intranet?
Previous by thread: Re: [Openvpn-users] Re: openvpn-auth-pam.so problem
Next by thread: Re: [Openvpn-users] openvpn-auth-pam.so problem
Index(es):
- Date
- Thread