Opened 4 years ago
Closed 4 years ago
#1275 closed Bug / Defect (fixed)
static-challenge not working with latest CentOS 7 - openvpn 2.4.8 RPM builds
Reported by: | RemoteOne | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | plug-ins / plug-in API | Version: | OpenVPN 2.4.7 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | pam plugin |
Cc: |
Description
Please see this thread https://forums.openvpn.net/viewtopic.php?f=4&t=29278&p=91108#p91108
My Environment - CentOS 7 - latest updates.
My configuration which used Active Directory authentication via LDAP and the Google Authenticator App
server
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn login USERNAME password PASSWORD pin OTP"
client
static-challenge "GA OpenVPN code:" 1
/etc/pam.d/openvpn
account sufficient pam_ldap.so
account required pam_deny.so
auth requisite /lib64/security/pam_google_authenticator.so authtok_prompt=pin secret=/etc/openvpn/google-authenticator/${USER} user=gauth
auth sufficient pam_ldap.so
auth required pam_deny.so
When starting OpenVPN GUI, it correctly prompts for the Authenticator Code but it never completes validation when passed to the server.
Following the instructions from another user in the thread, I downloaded the master source and built it.
While the other user had replaced both the openvpn binary and the /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so and gotten the configuration to work for them, I tried a more granular approach and found that the packaged 2.4.8 binary works if just the openvpn-plugin-auth-pam.so plugin is replaced with the one from the master branch.
It seems like there is a required fix in the PAM code in the master branch that never got tagged for release. It would be good to get a working plugin in the package for the next release
By the way, there is no 2.4.8 in the Version dropdown, so I selected 2.4.7
Change History (6)
comment:2 Changed 4 years ago by
Is there a process for requesting it to be merged? Aside from opening this ticket, is there anything further I need to do?
For what you imply is a trivial task to merge the 2 commits, it allows for an extra layer of security to be configured. This is particularly desirable with so many more people working from home right now, and with so many more attacks looking for poorly secured remote access.
Thanks
comment:3 Changed 4 years ago by
It has now been merged to the release/2.4 branch and will be part of 2.4.10 release (and might never show up on your CentOS version, since they only backport bugfixes, not "new features").
OTOH, on a server, I'd run "master" anyway as it has all the good stuff :-)
commit cab48ad43eaba51c54fa23e55b0b2eb436dd921f (HEAD -> release/2.4)
Author: Selva Nair <selva.nair@…>
Date: Tue Aug 7 22:44:31 2018 -0400
Accept empty password and/or response in auth-pam plugin
commit b89e48b015e581a4a0f5c306e2ab20da34c862ea
Author: Selva Nair <selva.nair@…>
Date: Tue Jul 24 22:34:53 2018 -0400
Parse static challenge response in auth-pam plugin
comment:4 Changed 4 years ago by
You could always "accidentally" leave it marked as a Bug Fix :-)
Thanks for promoting guys. As openvpn lives in the EPEL repository there is a good chance it will get updated at some point. And, I really want it for building out a CentOS 8 replacement for an older server.
comment:6 Changed 4 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Seems there is nothing more to do - feature has been backported :-)
This is not a bug. The feature to parse static challenge response in auth-pam plugin was never merged into 2.4. It remains a 2.5 feature as of now.
Aside: Although this is a new feature, it only touches one plugin source file and will still nicely cherry-pick into 2.4, so we could merge it. (commits 7369d01bf360bcfa02f26c05b86dde5496d120f6 and 7a8109023f4c345fe12f23421c5fa7e88e1ea85b)
All the support functions needed to implement the feature is there, the plugin API version is also the same in 2.4 and 2.5, so building the plugin from the master (2.5_git) sources and using it in 2.4 should work as you have found out.