Opened 3 months ago

Last modified 3 months ago

#1275 new Bug / Defect

static-challenge not working with latest CentOS 7 - openvpn 2.4.8 RPM builds

Reported by: RemoteOne Owned by:
Priority: major Milestone:
Component: plug-ins / plug-in API Version: OpenVPN 2.4.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: pam plugin
Cc:

Description

Please see this thread https://forums.openvpn.net/viewtopic.php?f=4&t=29278&p=91108#p91108

My Environment - CentOS 7 - latest updates.

My configuration which used Active Directory authentication via LDAP and the Google Authenticator App

server
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"

client
static-challenge "GA OpenVPN code:" 1

/etc/pam.d/openvpn
account sufficient pam_ldap.so
account required pam_deny.so

auth requisite /lib64/security/pam_google_authenticator.so authtok_prompt=pin secret=/etc/openvpn/google-authenticator/${USER} user=gauth
auth sufficient pam_ldap.so
auth required pam_deny.so

When starting OpenVPN GUI, it correctly prompts for the Authenticator Code but it never completes validation when passed to the server.

Following the instructions from another user in the thread, I downloaded the master source and built it.

While the other user had replaced both the openvpn binary and the /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so and gotten the configuration to work for them, I tried a more granular approach and found that the packaged 2.4.8 binary works if just the openvpn-plugin-auth-pam.so plugin is replaced with the one from the master branch.

It seems like there is a required fix in the PAM code in the master branch that never got tagged for release. It would be good to get a working plugin in the package for the next release

By the way, there is no 2.4.8 in the Version dropdown, so I selected 2.4.7

Change History (5)

comment:1 Changed 3 months ago by selvanair

This is not a bug. The feature to parse static challenge response in auth-pam plugin was never merged into 2.4. It remains a 2.5 feature as of now.

Aside: Although this is a new feature, it only touches the plugin file and will still nicely cherry-pick into 2.4, so we could merge it.

All the support functions needed to implement the feature is there, the plugin API version is also the same in 2.4 and 2.5, so building the plugin from the master (2.5_git) sources and using it in 2.4 should work as you have found out.

Version 0, edited 3 months ago by selvanair (next)

comment:2 Changed 3 months ago by RemoteOne

Is there a process for requesting it to be merged? Aside from opening this ticket, is there anything further I need to do?

For what you imply is a trivial task to merge the 2 commits, it allows for an extra layer of security to be configured. This is particularly desirable with so many more people working from home right now, and with so many more attacks looking for poorly secured remote access.

Thanks

comment:3 Changed 3 months ago by Gert Döring

It has now been merged to the release/2.4 branch and will be part of 2.4.10 release (and might never show up on your CentOS version, since they only backport bugfixes, not "new features").

OTOH, on a server, I'd run "master" anyway as it has all the good stuff :-)

commit cab48ad43eaba51c54fa23e55b0b2eb436dd921f (HEAD -> release/2.4)
Author: Selva Nair <selva.nair@…>
Date: Tue Aug 7 22:44:31 2018 -0400

Accept empty password and/or response in auth-pam plugin

commit b89e48b015e581a4a0f5c306e2ab20da34c862ea
Author: Selva Nair <selva.nair@…>
Date: Tue Jul 24 22:34:53 2018 -0400

Parse static challenge response in auth-pam plugin

comment:4 Changed 3 months ago by RemoteOne

You could always "accidentally" leave it marked as a Bug Fix :-)

Thanks for promoting guys. As openvpn lives in the EPEL repository there is a good chance it will get updated at some point. And, I really want it for building out a CentOS 8 replacement for an older server.

comment:5 Changed 3 months ago by RemoteOne

Also, thanks a million for a fantastic project

Note: See TracTickets for help on using tickets.