Opened 9 months ago

Last modified 9 months ago

#1045 new Bug / Defect

OpenVPN update from Stretch Backports broke PAM authentication

Reported by: jimdoe Owned by:
Priority: major Milestone: release 2.4.4
Component: plug-ins / plug-in API Version: OpenVPN 2.4.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: PAM, backports, google-authenticator, missing directory
Cc:

Description

I wanted to bump my version of OpenVPN 2.4 installed on Debian Stretch (2.4.0-6+deb9u2) to a more recent version, so updated the openvpn package using the stretch backports repository, which has the 2.4.4 openvpn package.

The update seemed to go fine, with no reported errors.

However, upon testing the actual server connection after the update, I found that the update had broken the Multi Factor Authentication I had had setup using PAM to authenticate using the user password as well as a OTP code generated by google authenticator.

What was strange was that when I went into the log to investigate, I found that it was reporting that /usr/lib/openvpn/openvpn-plugin-auth-pam.so was missing, and so I then discovered that the entire /usr/lib/openvpn directory had disappeared since the update.

Is this expected behaviour that I'm not aware of?

I thought it would be as simple a fix as copying over the /usr/lib/openvpn directory and its contents from a .img backup I had of my debian installation. Whilst this fixed the missing directory problem, the google-authenticator part of the module was no longer working, and authentication was failing every time.

It was not until I commented out

auth required pam_google_authenticator.so forward_pass

from /etc/pam.d/openvpn that I was able to connect using PAM, but it was now only asking for my password. Something about the update to 2.4.4 messed with both the directory that openvpn-plugin-auth-pam.so is in, but also the interaction between PAM and google authenticator.

Change History (1)

comment:1 Changed 9 months ago by selvanair

The openvpn pam plugin in stretch must be in /usr/lib/x86_64-linux-gnu/openvpn/plugins/

Note: See TracTickets for help on using tickets.