Opened 4 years ago

Closed 3 years ago

#1135 closed Bug / Defect (wontfix)

AS 2.5.2 PAM confusion on ovpn-init and Access Server

Reported by: gwideman Owned by: jamesyonan
Priority: minor Milestone:
Component: Access Server Version:
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: PAM


Program ovpn-init offers the option of "Use local authentication via internal DB".

There's no mention that after selecting this option, the original admin user (openvpn) continues to use PAM.

This is already a conceptual puzzle when the instructions at the end of ovpn-init say to use the OS's passwd function to set user openvpn's password -- when we were expecting not to use PAM.

Further, in the Access Server UI > User Permissions page, user openvpn offers a password change box, which, it seems, has no effect -- user openvpn is still governed by PAM auth.

In the early going understanding how to use the product (and in combination with the suspicion that the trial license only permits two users, so openvpn has to be one of them)... this causes confusion. We may try to change openvpn's password, leading to a non-working situation if we try to use the new password. Or we may realize that the password is still stuck on the old one, and conclude that authentication for users must still be set to PAM somehow.

In each place where the admin user openvpn will be treated specially (uniquely using PAM), that fact should be made evident.

Change History (3)

comment:1 Changed 4 years ago by novaflash

Thank you for your feedback. But you should be posting this to our support ticket system designed for the OpenVPN Access Server product. Not here on the community ticket tracker.

For OpenVPN Access Server support go to our website and go to support > create support ticket.

Regarding your case, I can answer easily enough here.

The openvpn account is a super user account. It can log in even if the authentication backend chosen fails for whatever reason. It's tied to the operating system, so PAM. You should create your own admin user and disable this super user. This is in our security recommendations guide:

Without a license key, the Access Server allows 2 connections. Not 2 users. 2 connections. You can have unlimited amount of users. But only 2 connections.

comment:2 Changed 4 years ago by gwideman

Thanks for your answer novaflash. I don't actually need support on this at this point, since I learned the distinction of the first user by trial and error.
Just providing feedback on the UI and/or docs. I was unaware that this tracker was not for Access Server, since it has a category for Access Server.

comment:3 Changed 3 years ago by novaflash

Resolution: wontfix
Status: newclosed

Just reviewing and closing old tickets that were left open in the community site, although these were already copied into our internal tracking system and handled there.

While your viewpoint is clear, we are considering revamping the initialization path of Access Server entirely, in which case this discussion becomes moot. I will mark it as wontfix for that reason. In our internal issue tracking system, an improvement is planned, and will become available in some future release of Access Server.

Note: See TracTickets for help on using tickets.