Issue 137 in google-authenticator: "Failed to change group id" with PAM module and OpenVPN
google-aut...@googlecode.com
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 137 by jean-seb...@yakaz.com: "Failed to change group id" with
PAM module and OpenVPN
http://code.google.com/p/google-authenticator/issues/detail?id=137
We configured SSH and OpenVPN in PAM to use pam_google_authenticator. Both
use the same configuration.
With SSH, we have no problem but with OpenVPN, pam_google_authenticator
fails to change group. Here's a log on the server:
openvpn(pam_google_authenticator)[982]: Failed to change group id for
user "bob" to 500
kernel: Jan 18 12:21:09 bastion5 openvpn(pam_google_authenticator)[982]:
Failed to change group id for user "bob" to 500
openvpn[982]: in _openpam_check_error_code(): pam_sm_authenticate():
unexpected return value 19
kernel: Jan 18 12:21:09 bastion5 openvpn[982]: in
_openpam_check_error_code(): pam_sm_authenticate(): unexpected return value
19
openvpn[982]: failed to get password: authentication error
kernel: Jan 18 12:21:09 bastion5 openvpn[982]: failed to get password:
authentication error
openvpn[992]: 192.168.200.94:45309 PLUGIN_CALL: POST
openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
openvpn[992]: 192.168.200.94:45309 PLUGIN_CALL: plugin function
PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: openvpn-auth-pam.so
Users and groups are defined in LDAP, not locally to the server. User "bob"
is part of the group 500 (as its primary group).
We attached a patch the change the group before changing the user. This
solves the issue for us, but we don't know if it's a good idea, security
wise.
Our environment:
FreeBSD 9.0-RC3
pam-google-authenticator from Mercurial repository (changeset:
97:320306bec0c5, dated 2012/01/01)
OpenSSH_5.8p2_hpn13v11 (from the FreeBSD base system, not ports)
OpenLDAP 2.4.26
OpenVPN 2.2.1
Our PAM configuration for SSH and OpenVPN:
auth required /usr/local/lib/pam_google_authenticator.so
forward_pass
auth required /usr/local/lib/pam_ldap.so use_first_pass debug
Attachments:
google-authenticator-pam-setgroup-before-setuser-a.patch 871 bytes
google-aut...@googlecode.com
Status: Fixed
Labels: libpam
Comment #1 on issue 137 by mar...@google.com: "Failed to change group id"
with PAM module and OpenVPN
http://code.google.com/p/google-authenticator/issues/detail?id=137
I believe your change is likely to result in more correct behavior than
what we had before. So, thank you very much for the good bug report!
I ended up, making a slightly more complex change that should work no
matter how crazy the environment is, that the PAM module finds itself
running in. But in the default case, it does exactly what your change was
doing.
Please report back, if you still encounter any problems.
google-aut...@googlecode.com
Comment #2 on issue 137 by jean-seb...@yakaz.com: "Failed to change group
http://code.google.com/p/google-authenticator/issues/detail?id=137
We tried your change and it works for us.
Thank you very much for this quick fix!
google-aut...@googlecode.com
Comment #3 on issue 137 by phuong...@gmail.com: "Failed to change group id"
Hi Bros,
Could you guide me how to configurate OpenVPN with GA + LDAP authen, plz?
I've done with OpenVPN + GA , but now i want to improve security on it.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings