|
Hello all,
I posgted this problem a few months ago and wasn't
able to fix it from the replies I recieved, so I thought I would give it
another shot. I have openvpn set up on a debian server (4.0) as a bridged
configuration. XP Client connects fine, and auth's against PAM. The only problem
is that when a user enters thier password wrong, the openvpn process on the
server dies, so they have no second chance at entering thier password correctly,
until I start the openvpn process again. It seems that it should be able to
handle a failed auth and allow the user to try again, rather than just dying. I
have included the server configuration, client configuration, /etc/pam.d/openvpn
configuration, as well as logs from both the client and the server.
Server Start Line: /usr/sbin/openvpn --log-append
/var/log/vpn/openvpna.log --cd /etc/openvpn/ --daemon --config
vpnfinal.conf
Server Configuration:
#Config File for OpenVPN Tunnel a/1
#
Device
dev tap0
# TLS/Key Options
tls-server
dh dh1024.pem
ca
ca.crt
cert server.crt
key server.key
# Port
port 1194
# User/Group to Run As
user nobody
group
nobody
# Compression
comp-lzo
# Plugin for Auth
plugin
/usr/lib/openvpn/openvpn-auth-pam.so openvpn
reneg-sec 0
# Ping
Stuff
ping 15
ping-restart
45
ping-timer-rem
persist-tun
persist-key
# Verbosity level.
# 0 -- quiet except for fatal
errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 --
medium output, good for normal operation.
# 9 -- verbose, good for
troubleshooting
verb 3
End Server config
PAM.D Config /etc/pam.d/openvpn
auth
required pam_unix.so
account
required
pam_unix.so
password required
pam_unix.so
End PAM.D Config
Start client config
remote 207.xxx.xxx.xxx
port 1194
dev tap
tls-client
ifconfig
10.25.80.89 255.255.255.0
ifconfig-nowarn
ca aca.crt
cert
home.crt
key home.key
ping 15
ping-restart
45
ping-timer-rem
persist-tun
persist-key
comp-lzo
verb
3
auth-user-pass
pull
reneg-sec
0
auth-nocache
End client config
Server Log:
I just noticed the clock on the server is 10
minutes and some change behind, so ignore that....
Wed Oct 3 12:22:51 2007 TLS: new session
incoming connection from 129.xxx.xxx.xxx:1194
Wed Oct 3 12:22:52 2007
VERIFY OK: depth=1,
/C=US/ST=Wa/L=SEA/O=xxxx/OU=IT/CN=Sec2/emailAddress=xxxxx
Wed
Oct 3 12:22:52 2007 VERIFY OK: depth=0,
/C=US/ST=Wa/O=xxxx/OU=IT/CN=client1/emailAddress=xxxxx
AUTH-PAM: BACKGROUND:
user 'jdoe' failed to authenticate: Authentication failure
Wed Oct 3
12:22:54 2007 PLUGIN_CALL: POST
/usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY
status=1
Wed Oct 3 12:22:54 2007 PLUGIN_CALL: plugin function
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
/usr/lib/openvpn/openvpn-auth-pam.so
Wed Oct 3 12:22:54 2007 TLS Auth
Error: Auth Username/Password verification failed for peer
Wed Oct 3
12:22:54 2007 TLS: move_session: dest=TM_ACTIVE src=""
reinit_src=1
Wed Oct 3 12:22:54 2007 TLS: tls_multi_process: untrusted
session promoted to semi-trusted
Wed Oct 3 12:22:54 2007 Control
Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed
Oct 3 12:22:55 2007 PUSH: Received control message: 'PUSH_REQUEST'
Wed
Oct 3 12:22:55 2007 SENT CONTROL [client1]: 'AUTH_FAILED'
(status=1)
Wed Oct 3 12:22:55 2007 Delayed exit in 5 seconds
Wed
Oct 3 12:22:57 2007 read UDPv4 [ECONNREFUSED]: Connection refused
(code=111)
Wed Oct 3 12:22:59 2007 TLS Error: Cannot accept new session
request from 129.xxx.xxx.xxx:1194 due to session context expire or
--single-session [2]
Wed Oct 3 12:23:00 2007 TCP/UDP: Closing
socket
Wed Oct 3 12:23:00 2007 Closing TUN/TAP interface
Wed
Oct 3 12:23:00 2007 PLUGIN_CLOSE:
/usr/lib/openvpn/openvpn-auth-pam.so
Wed Oct 3 12:23:00 2007
SIGTERM[soft,delayed-exit] received, process exiting
End Server Log
Client Log:
Wed Oct 03 12:33:47 2007 OpenVPN 2.0.7
Win32-MinGW [SSL] [LZO] built on Apr 12 2007
Wed Oct 03 12:33:51 2007 WARNING:
using --pull/--client and --ifconfig together is probably not what you
want
Wed Oct 03 12:33:51 2007 WARNING: No
server certificate verification method has been enabled. See
http://openvpn.net/howto.html#mitm for more info.
Wed Oct 03 12:33:51 2007 LZO
compression initialized
Wed Oct 03 12:33:51 2007 Control
Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Oct 03 12:33:51 2007 Data Channel
MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Oct 03 12:33:51 2007 Local Options
hash (VER=V4): 'd79ca330'
Wed Oct 03 12:33:51 2007 Expected
Remote Options hash (VER=V4): 'f7df56b8'
Wed Oct 03 12:33:51 2007 UDPv4 link
local (bound): [undef]:1194
Wed Oct 03 12:33:51 2007 UDPv4 link
remote: 207.xxx.xxx.xxx:1194
Wed Oct 03 12:33:51 2007 TLS: Initial
packet from 207.xxx.xxx.xxx:1194, sid=9d22d34e 7da8c12a
Wed Oct 03 12:33:54 2007 Data Channel
Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Oct 03 12:33:54 2007 Data Channel
Encrypt: Using 160 bit message hash 'SHA1' for HMAC
authentication
Wed Oct 03 12:33:54 2007 Data Channel
Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Oct 03 12:33:54 2007 Data Channel
Decrypt: Using 160 bit message hash 'SHA1' for HMAC
authentication
Wed Oct 03 12:33:54 2007 Control
Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit
RSA
Wed Oct 03 12:33:54 2007 [Sec2] Peer
Connection Initiated with 207.xxx.xxx.xxx:1194
Wed Oct 03 12:33:55 2007 SENT
CONTROL [Sec2]: 'PUSH_REQUEST' (status=1)
Wed Oct 03 12:33:55 2007 AUTH:
Received AUTH_FAILED control message
Wed Oct 03 12:33:55 2007 TCP/UDP:
Closing socket
Wed Oct 03 12:33:55 2007
SIGTERM[soft,auth-failure] received, process exiting
End Client log.
I haven't been able to
figure it out
Any
ideas?
Thanks,
Caleb
|