Wednesday, January 16, 2019
openvpn pam_google_authenticator.so error in centos 7
This is the short story: I was trying to implement google OTP authentication while connecting to openvpn, so that in addition to normal password you need to pass timed token generated by your mobile app. My OS was CentOS 7.
The problem was that it didn't work after following some instruction on the web. (like this one http://dillidba.blogspot.com/2017/02/install-openvpn-on-centos-with-google.html)
My openvpn log was showing this error:
Then after that, I checked /var/log/secure:
Then after tha, I checked /var/log/audit/audit.log:
And finally, I fixed it:
Now I can connect to openvpn, by supplying password and 6 digit number from google authenticator .
So conclusion is you always need to check SELinux permissions when writing something to non-standard locations like in my case.
The problem was that it didn't work after following some instruction on the web. (like this one http://dillidba.blogspot.com/2017/02/install-openvpn-on-centos-with-google.html)
My openvpn log was showing this error:
PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so TLS Auth Error: Auth Username/Password verification failed for peer
Then after that, I checked /var/log/secure:
openvpn(pam_google_authenticator)[20015]: Accepted google_authenticator for vpn_user openvpn(pam_google_authenticator)[20015]: Failed to update secret file "/etc/openvpn/google-authenticator/vpn_user": Permission denied
Then after tha, I checked /var/log/audit/audit.log:
sudo cat /var/log/audit/audit.log | grep openvpn | grep denied
type=AVC msg=audit(1547603809.897:49734): avc: denied { unlink } for pid=20015 comm="openvpn" name="vpn_user" dev="xvda1" ino=4711785 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547604668.769:49823): avc: denied { unlink } for pid=20015 comm="openvpn" name="vpn_user" dev="xvda1" ino=4711785 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547604713.435:49829): avc: denied { unlink } for pid=20015 comm="openvpn" name="vpn_user" dev="xvda1" ino=4711785 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1547605092.191:49860): avc: denied { unlink } for pid=21207 comm="openvpn" name="vpn_user" dev="xvda1" ino=4711785 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file permissive=0
And finally, I fixed it:
sudo cat /var/log/audit/audit.log | grep openvpn | grep denied | audit2allow -M myopenvpn semodule -i myopenvpn.pp
Now I can connect to openvpn, by supplying password and 6 digit number from google authenticator .
So conclusion is you always need to check SELinux permissions when writing something to non-standard locations like in my case.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment