Opened 2 years ago

Closed 2 years ago

#1275 closed Bug / Defect (fixed)

static-challenge not working with latest CentOS 7 - openvpn 2.4.8 RPM builds

Reported by: RemoteOne Owned by:
Priority: major Milestone:
Component: plug-ins / plug-in API Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: pam plugin


Please see this thread

My Environment - CentOS 7 - latest updates.

My configuration which used Active Directory authentication via LDAP and the Google Authenticator App

plugin /usr/lib64/openvpn/plugins/ "openvpn login USERNAME password PASSWORD pin OTP"

static-challenge "GA OpenVPN code:" 1

account sufficient
account required

auth requisite /lib64/security/ authtok_prompt=pin secret=/etc/openvpn/google-authenticator/${USER} user=gauth
auth sufficient
auth required

When starting OpenVPN GUI, it correctly prompts for the Authenticator Code but it never completes validation when passed to the server.

Following the instructions from another user in the thread, I downloaded the master source and built it.

While the other user had replaced both the openvpn binary and the /usr/lib64/openvpn/plugins/ and gotten the configuration to work for them, I tried a more granular approach and found that the packaged 2.4.8 binary works if just the plugin is replaced with the one from the master branch.

It seems like there is a required fix in the PAM code in the master branch that never got tagged for release. It would be good to get a working plugin in the package for the next release

By the way, there is no 2.4.8 in the Version dropdown, so I selected 2.4.7

Change History (6)

comment:1 Changed 2 years ago by Selva Nair

This is not a bug. The feature to parse static challenge response in auth-pam plugin was never merged into 2.4. It remains a 2.5 feature as of now.

Aside: Although this is a new feature, it only touches one plugin source file and will still nicely cherry-pick into 2.4, so we could merge it. (commits 7369d01bf360bcfa02f26c05b86dde5496d120f6 and 7a8109023f4c345fe12f23421c5fa7e88e1ea85b)

All the support functions needed to implement the feature is there, the plugin API version is also the same in 2.4 and 2.5, so building the plugin from the master (2.5_git) sources and using it in 2.4 should work as you have found out.

Last edited 2 years ago by Selva Nair (previous) (diff)

comment:2 Changed 2 years ago by RemoteOne

Is there a process for requesting it to be merged? Aside from opening this ticket, is there anything further I need to do?

For what you imply is a trivial task to merge the 2 commits, it allows for an extra layer of security to be configured. This is particularly desirable with so many more people working from home right now, and with so many more attacks looking for poorly secured remote access.


comment:3 Changed 2 years ago by Gert Döring

It has now been merged to the release/2.4 branch and will be part of 2.4.10 release (and might never show up on your CentOS version, since they only backport bugfixes, not "new features").

OTOH, on a server, I'd run "master" anyway as it has all the good stuff :-)

commit cab48ad43eaba51c54fa23e55b0b2eb436dd921f (HEAD -> release/2.4)
Author: Selva Nair <selva.nair@…>
Date: Tue Aug 7 22:44:31 2018 -0400

Accept empty password and/or response in auth-pam plugin

commit b89e48b015e581a4a0f5c306e2ab20da34c862ea
Author: Selva Nair <selva.nair@…>
Date: Tue Jul 24 22:34:53 2018 -0400

Parse static challenge response in auth-pam plugin

comment:4 Changed 2 years ago by RemoteOne

You could always "accidentally" leave it marked as a Bug Fix :-)

Thanks for promoting guys. As openvpn lives in the EPEL repository there is a good chance it will get updated at some point. And, I really want it for building out a CentOS 8 replacement for an older server.

comment:5 Changed 2 years ago by RemoteOne

Also, thanks a million for a fantastic project

comment:6 Changed 2 years ago by Gert Döring

Resolution: fixed
Status: newclosed

Seems there is nothing more to do - feature has been backported :-)

Note: See TracTickets for help on using tickets.