static-challenge not working with latest CentOS 7 - openvpn 2.4.8 RPM builds

[RemoteOne]

Please see this thread ​https://forums.openvpn.net/viewtopic.php?f=4&t=29278&p=91108#p91108

My Environment - CentOS 7 - latest updates.

My configuration which used Active Directory authentication via LDAP and the Google Authenticator App

server
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

client
static-challenge "GA OpenVPN code:" 1

/etc/pam.d/openvpn
account sufficient pam_ldap.so
account required pam_deny.so

auth requisite /lib64/security/pam_google_authenticator.so authtok_prompt=pin secret=/etc/openvpn/google-authenticator/${USER} user=gauth
auth sufficient pam_ldap.so
auth required pam_deny.so

When starting OpenVPN GUI, it correctly prompts for the Authenticator Code but it never completes validation when passed to the server.

Following the instructions from another user in the thread, I downloaded the master source and built it.

While the other user had replaced both the openvpn binary and the /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so and gotten the configuration to work for them, I tried a more granular approach and found that the packaged 2.4.8 binary works if just the openvpn-plugin-auth-pam.so plugin is replaced with the one from the master branch.

It seems like there is a required fix in the PAM code in the master branch that never got tagged for release. It would be good to get a working plugin in the package for the next release

By the way, there is no 2.4.8 in the Version dropdown, so I selected 2.4.7

[Selva Nair]

This is not a bug. The feature to parse static challenge response in auth-pam plugin was never merged into 2.4. It remains a 2.5 feature as of now.

Aside: Although this is a new feature, it only touches one plugin source file and will still nicely cherry-pick into 2.4, so we could merge it. (commits 7369d01bf360bcfa02f26c05b86dde5496d120f6 and 7a8109023f4c345fe12f23421c5fa7e88e1ea85b)

All the support functions needed to implement the feature is there, the plugin API version is also the same in 2.4 and 2.5, so building the plugin from the master (2.5_git) sources and using it in 2.4 should work as you have found out.

[RemoteOne]

Is there a process for requesting it to be merged? Aside from opening this ticket, is there anything further I need to do?

For what you imply is a trivial task to merge the 2 commits, it allows for an extra layer of security to be configured. This is particularly desirable with so many more people working from home right now, and with so many more attacks looking for poorly secured remote access.

Thanks

[Gert Döring]

It has now been merged to the release/2.4 branch and will be part of 2.4.10 release (and might never show up on your CentOS version, since they only backport bugfixes, not "new features").

OTOH, on a server, I'd run "master" anyway as it has all the good stuff :-)

commit cab48ad43eaba51c54fa23e55b0b2eb436dd921f (HEAD -> release/2.4)
Author: Selva Nair <selva.nair@…>
Date: Tue Aug 7 22:44:31 2018 -0400

Accept empty password and/or response in auth-pam plugin

commit b89e48b015e581a4a0f5c306e2ab20da34c862ea
Author: Selva Nair <selva.nair@…>
Date: Tue Jul 24 22:34:53 2018 -0400

Parse static challenge response in auth-pam plugin

[RemoteOne]

You could always "accidentally" leave it marked as a Bug Fix :-)

Thanks for promoting guys. As openvpn lives in the EPEL repository there is a good chance it will get updated at some point. And, I really want it for building out a CentOS 8 replacement for an older server.

[RemoteOne]

Also, thanks a million for a fantastic project

[Gert Döring]

Seems there is nothing more to do - feature has been backported :-)