[Bug 1077729] New: OpenVPN PAM failed after package upgrade to 2.3.8-14.1
http://bugzilla.suse.com/show_bug.cgi?id=1077729 Bug ID: 1077729 Summary: OpenVPN PAM failed after package upgrade to 2.3.8-14.1 Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.3 Hardware: 64bit OS: openSUSE 42.3 Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: bnc-team-screening@forge.provo.novell.com Reporter: xpert200@yahoo.fr QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 757716 --> http://bugzilla.suse.com/attachment.cgi?id=757716&action=edit Logs files and client config Hello, I’m using OpenVPN with PAM-Radius for authentication with a free radius server. The configuration was functioning very well from many years until upgrading “openvpn” and “openvpn-auth-pam-plugin” packages from 2.3.8-7.1 to 2.3.8-14.1. Before migration, the authentication logs were like that: (see attached files PAM_log_whenOK.txt and openvpn_log_whenOK.txt). The authentication was successful! After the packages upgrade to 2.3.8-14.1, the PAM authentication is successful but openvpn authentication is deferred and failed for the vpn client (see attached files PAM_log_whenFailed.txt and openvpn_log_whenFailed.txt). I notice the following in the Changelog of openvpn: 2017-04-20 - ndas@suse.de - Preform deferred authentication in the background to not cause main daemon processing delays when the underlying pam mechanism (e.g. ldap) needs longer to response (bsc#959511). [+ 0001-preform-deferred-authentication-in-the-background.patch] The issue is maybe related to this change ? As asked, I also attached the client configuration. Best regards -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1077729
Gob Gob
http://bugzilla.suse.com/show_bug.cgi?id=1077729
Nirmoy Das
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c1
Reinhard Max
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c2
--- Comment #2 from Reinhard Max
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c3
Gob Gob
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c4
--- Comment #4 from Reinhard Max
What next, will the package be published in the release?
No, it's not that easy. We've now identified that this patch causes the problem, but I cannot just remove it, because it was added to fix another problem. I need to debug the patch. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c5
Reinhard Max
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c6
Gob Gob
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c7
--- Comment #7 from Gob Gob
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c8
Reinhard Max
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c9
Gob Gob
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c10
--- Comment #10 from Reinhard Max
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c11
--- Comment #11 from Reinhard Max
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c12
--- Comment #12 from Gob Gob
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c13
--- Comment #13 from Reinhard Max
I tried to remove the auth-nocache option on the client config but the result is the same. Not sure that the problem is similar as yours.
Sorry, I was drawing wrong conclusions. The fact that PAM succeeds shows that auth-nocache is not the problem. But I think I found the reason why it fails for you: it is the chroot option that you are using in your server config in combination with the deferred PAM authentication that got added by Nirmoy's patch. For deferred authentication, openvpn forks a background process that gets authentication requests through a socket and hands back the result via a temporary file. When the chroot option is being used, only the "worker" process actually chroots to the given directory, but the "authenticator" stays outside. Now the authenticater writes the result to a file under /tmp, but the worker expects it under the /tmp directory relativ to its chroot dir, where it never arrives and hence it times out. As soon as I turn off chroot in a configuration that closely resembles yours or manuall move the result file (openvpn_acf_*.tmp) from /tmp/ to /var/lib/openvpn/jail/tmp/ the connection succeeds. I don't know if that split root operation is intended by upstream or not, and why they use temp files rather than the already existing socket to hand back auth results.
But with the package you provided (https://download.opensuse.org/repositories/home:/rmax:/branches:/ OBS_Maintained:/openvpn/openSUSE_Leap_42.3_Update) it’s work like a charm!
Sure, that one doesn't use deferred authentication, so it doesn't have the background process and file handover. BTW, did you have to copy any PAM and/or RADIUS stuff to your chroot directory in order to get your setup to work initially? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c14
--- Comment #14 from Gob Gob
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c15
--- Comment #15 from Gob Gob
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c16
--- Comment #16 from Reinhard Max
Have you any update on this ticket?
Not yet, I kind of lost track of it. Sorry.
In the meantime, can you provide me a package where the PrivateTmp feature of systemd is turned off for OpenVPN on LEAP 15?
As this is a runtime configuration option, there is no need to have a separate package for it. Say your openvpn configuration file is named /etc/openvpn/client.conf, then you run the following command as root: # systemctl edit openvpn@client.service This will open an editor into which you type a line that says PrivateTmp=false save it and exit the editor. This will create the file /etc/systemd/system/openvpn@client.service.d/override.conf which contains the line you typed and henceforth that instance of openvpn will run wihout PrivateTmp. If you have more than one instance, you need to repeat this for each instance. But I am not sure if disabling PrivateTmp alone will help you. I guess you will also have to disable the chroot feature in your OpenVPN configuration file(s). -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.suse.com/show_bug.cgi?id=1077729
http://bugzilla.suse.com/show_bug.cgi?id=1077729#c17
Tomáš Chvátal
participants (1)
-
bugzilla_noreply@novell.com