Caleb Pal
2007-10-03 19:54:50 UTC
Hello all,
I posgted this problem a few months ago and wasn't able to fix it from the replies I recieved, so I thought I would give it another shot. I have openvpn set up on a debian server (4.0) as a bridged configuration. XP Client connects fine, and auth's against PAM. The only problem is that when a user enters thier password wrong, the openvpn process on the server dies, so they have no second chance at entering thier password correctly, until I start the openvpn process again. It seems that it should be able to handle a failed auth and allow the user to try again, rather than just dying. I have included the server configuration, client configuration, /etc/pam.d/openvpn configuration, as well as logs from both the client and the server.
Server Start Line: /usr/sbin/openvpn --log-append /var/log/vpn/openvpna.log --cd /etc/openvpn/ --daemon --config vpnfinal.conf
Server Configuration:
#Config File for OpenVPN Tunnel a/1
# Device
dev tap0
# TLS/Key Options
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key
# Port
port 1194
# User/Group to Run As
user nobody
group nobody
# Compression
comp-lzo
# Plugin for Auth
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
reneg-sec 0
# Ping Stuff
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3
End Server config
PAM.D Config /etc/pam.d/openvpn
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
End PAM.D Config
Start client config
remote 207.xxx.xxx.xxx
port 1194
dev tap
tls-client
ifconfig 10.25.80.89 255.255.255.0
ifconfig-nowarn
ca aca.crt
cert home.crt
key home.key
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
comp-lzo
verb 3
auth-user-pass
pull
reneg-sec 0
auth-nocache
End client config
Server Log:
I just noticed the clock on the server is 10 minutes and some change behind, so ignore that....
Wed Oct 3 12:22:51 2007 TLS: new session incoming connection from 129.xxx.xxx.xxx:1194
Wed Oct 3 12:22:52 2007 VERIFY OK: depth=1, /C=US/ST=Wa/L=SEA/O=xxxx/OU=IT/CN=Sec2/emailAddress=xxxxx
Wed Oct 3 12:22:52 2007 VERIFY OK: depth=0, /C=US/ST=Wa/O=xxxx/OU=IT/CN=client1/emailAddress=xxxxx
AUTH-PAM: BACKGROUND: user 'jdoe' failed to authenticate: Authentication failure
Wed Oct 3 12:22:54 2007 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Oct 3 12:22:54 2007 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
Wed Oct 3 12:22:54 2007 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Oct 3 12:22:54 2007 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Wed Oct 3 12:22:54 2007 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Wed Oct 3 12:22:54 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Oct 3 12:22:55 2007 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 3 12:22:55 2007 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
Wed Oct 3 12:22:55 2007 Delayed exit in 5 seconds
Wed Oct 3 12:22:57 2007 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Oct 3 12:22:59 2007 TLS Error: Cannot accept new session request from 129.xxx.xxx.xxx:1194 due to session context expire or --single-session [2]
Wed Oct 3 12:23:00 2007 TCP/UDP: Closing socket
Wed Oct 3 12:23:00 2007 Closing TUN/TAP interface
Wed Oct 3 12:23:00 2007 PLUGIN_CLOSE: /usr/lib/openvpn/openvpn-auth-pam.so
Wed Oct 3 12:23:00 2007 SIGTERM[soft,delayed-exit] received, process exiting
End Server Log
Client Log:
Wed Oct 03 12:33:47 2007 OpenVPN 2.0.7 Win32-MinGW [SSL] [LZO] built on Apr 12 2007
Wed Oct 03 12:33:51 2007 WARNING: using --pull/--client and --ifconfig together is probably not what you want
Wed Oct 03 12:33:51 2007 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 03 12:33:51 2007 LZO compression initialized
Wed Oct 03 12:33:51 2007 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Oct 03 12:33:51 2007 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Oct 03 12:33:51 2007 Local Options hash (VER=V4): 'd79ca330'
Wed Oct 03 12:33:51 2007 Expected Remote Options hash (VER=V4): 'f7df56b8'
Wed Oct 03 12:33:51 2007 UDPv4 link local (bound): [undef]:1194
Wed Oct 03 12:33:51 2007 UDPv4 link remote: 207.xxx.xxx.xxx:1194
Wed Oct 03 12:33:51 2007 TLS: Initial packet from 207.xxx.xxx.xxx:1194, sid=9d22d34e 7da8c12a
Wed Oct 03 12:33:51 2007 VERIFY OK: depth=1, /C=US/ST=Wa/L=SEA/O=xxx/OU=IT/CN=Sec2/emailAddress=xxx
Wed Oct 03 12:33:51 2007 VERIFY OK: depth=0, /C=US/ST=Wa/O=xxx/OU=IT/CN=Sec2/emailAddress=xxx
Wed Oct 03 12:33:54 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Oct 03 12:33:54 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 03 12:33:54 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Oct 03 12:33:54 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 03 12:33:54 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Oct 03 12:33:54 2007 [Sec2] Peer Connection Initiated with 207.xxx.xxx.xxx:1194
Wed Oct 03 12:33:55 2007 SENT CONTROL [Sec2]: 'PUSH_REQUEST' (status=1)
Wed Oct 03 12:33:55 2007 AUTH: Received AUTH_FAILED control message
Wed Oct 03 12:33:55 2007 TCP/UDP: Closing socket
Wed Oct 03 12:33:55 2007 SIGTERM[soft,auth-failure] received, process exiting
End Client log.
I haven't been able to figure it out
Any ideas?
Thanks,
Caleb
I posgted this problem a few months ago and wasn't able to fix it from the replies I recieved, so I thought I would give it another shot. I have openvpn set up on a debian server (4.0) as a bridged configuration. XP Client connects fine, and auth's against PAM. The only problem is that when a user enters thier password wrong, the openvpn process on the server dies, so they have no second chance at entering thier password correctly, until I start the openvpn process again. It seems that it should be able to handle a failed auth and allow the user to try again, rather than just dying. I have included the server configuration, client configuration, /etc/pam.d/openvpn configuration, as well as logs from both the client and the server.
Server Start Line: /usr/sbin/openvpn --log-append /var/log/vpn/openvpna.log --cd /etc/openvpn/ --daemon --config vpnfinal.conf
Server Configuration:
#Config File for OpenVPN Tunnel a/1
# Device
dev tap0
# TLS/Key Options
tls-server
dh dh1024.pem
ca ca.crt
cert server.crt
key server.key
# Port
port 1194
# User/Group to Run As
user nobody
group nobody
# Compression
comp-lzo
# Plugin for Auth
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
reneg-sec 0
# Ping Stuff
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
# Verbosity level.
# 0 -- quiet except for fatal errors.
# 1 -- mostly quiet, but display non-fatal network errors.
# 3 -- medium output, good for normal operation.
# 9 -- verbose, good for troubleshooting
verb 3
End Server config
PAM.D Config /etc/pam.d/openvpn
auth required pam_unix.so
account required pam_unix.so
password required pam_unix.so
End PAM.D Config
Start client config
remote 207.xxx.xxx.xxx
port 1194
dev tap
tls-client
ifconfig 10.25.80.89 255.255.255.0
ifconfig-nowarn
ca aca.crt
cert home.crt
key home.key
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key
comp-lzo
verb 3
auth-user-pass
pull
reneg-sec 0
auth-nocache
End client config
Server Log:
I just noticed the clock on the server is 10 minutes and some change behind, so ignore that....
Wed Oct 3 12:22:51 2007 TLS: new session incoming connection from 129.xxx.xxx.xxx:1194
Wed Oct 3 12:22:52 2007 VERIFY OK: depth=1, /C=US/ST=Wa/L=SEA/O=xxxx/OU=IT/CN=Sec2/emailAddress=xxxxx
Wed Oct 3 12:22:52 2007 VERIFY OK: depth=0, /C=US/ST=Wa/O=xxxx/OU=IT/CN=client1/emailAddress=xxxxx
AUTH-PAM: BACKGROUND: user 'jdoe' failed to authenticate: Authentication failure
Wed Oct 3 12:22:54 2007 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Wed Oct 3 12:22:54 2007 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so
Wed Oct 3 12:22:54 2007 TLS Auth Error: Auth Username/Password verification failed for peer
Wed Oct 3 12:22:54 2007 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Wed Oct 3 12:22:54 2007 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Wed Oct 3 12:22:54 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Oct 3 12:22:55 2007 PUSH: Received control message: 'PUSH_REQUEST'
Wed Oct 3 12:22:55 2007 SENT CONTROL [client1]: 'AUTH_FAILED' (status=1)
Wed Oct 3 12:22:55 2007 Delayed exit in 5 seconds
Wed Oct 3 12:22:57 2007 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Wed Oct 3 12:22:59 2007 TLS Error: Cannot accept new session request from 129.xxx.xxx.xxx:1194 due to session context expire or --single-session [2]
Wed Oct 3 12:23:00 2007 TCP/UDP: Closing socket
Wed Oct 3 12:23:00 2007 Closing TUN/TAP interface
Wed Oct 3 12:23:00 2007 PLUGIN_CLOSE: /usr/lib/openvpn/openvpn-auth-pam.so
Wed Oct 3 12:23:00 2007 SIGTERM[soft,delayed-exit] received, process exiting
End Server Log
Client Log:
Wed Oct 03 12:33:47 2007 OpenVPN 2.0.7 Win32-MinGW [SSL] [LZO] built on Apr 12 2007
Wed Oct 03 12:33:51 2007 WARNING: using --pull/--client and --ifconfig together is probably not what you want
Wed Oct 03 12:33:51 2007 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Oct 03 12:33:51 2007 LZO compression initialized
Wed Oct 03 12:33:51 2007 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Oct 03 12:33:51 2007 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Wed Oct 03 12:33:51 2007 Local Options hash (VER=V4): 'd79ca330'
Wed Oct 03 12:33:51 2007 Expected Remote Options hash (VER=V4): 'f7df56b8'
Wed Oct 03 12:33:51 2007 UDPv4 link local (bound): [undef]:1194
Wed Oct 03 12:33:51 2007 UDPv4 link remote: 207.xxx.xxx.xxx:1194
Wed Oct 03 12:33:51 2007 TLS: Initial packet from 207.xxx.xxx.xxx:1194, sid=9d22d34e 7da8c12a
Wed Oct 03 12:33:51 2007 VERIFY OK: depth=1, /C=US/ST=Wa/L=SEA/O=xxx/OU=IT/CN=Sec2/emailAddress=xxx
Wed Oct 03 12:33:51 2007 VERIFY OK: depth=0, /C=US/ST=Wa/O=xxx/OU=IT/CN=Sec2/emailAddress=xxx
Wed Oct 03 12:33:54 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Oct 03 12:33:54 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 03 12:33:54 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Oct 03 12:33:54 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Oct 03 12:33:54 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Oct 03 12:33:54 2007 [Sec2] Peer Connection Initiated with 207.xxx.xxx.xxx:1194
Wed Oct 03 12:33:55 2007 SENT CONTROL [Sec2]: 'PUSH_REQUEST' (status=1)
Wed Oct 03 12:33:55 2007 AUTH: Received AUTH_FAILED control message
Wed Oct 03 12:33:55 2007 TCP/UDP: Closing socket
Wed Oct 03 12:33:55 2007 SIGTERM[soft,auth-failure] received, process exiting
End Client log.
I haven't been able to figure it out
Any ideas?
Thanks,
Caleb