[Bug 1511524] [NEW] OpenVPN PAM authentication broken on 15.10 Server

Sean O'Connell sean at sdoconnell.net
Thu Oct 29 20:51:00 UTC 2015 

Public bug reported:

With OpenVPN 2.3.7 in server mode (config option 'mode server') on
Ubuntu Server 15.10, using the PAM authentication plugin for client
connections (config option 'plugin /usr/lib/openvpn/openvpn-plugin-auth-
pam.so login') and launching the OpenVPN process via the systemd
openvpn@ unit file (e.g. 'systemctl start openvpn at server', with a
/etc/openvpn/server.conf config file) OpenVPN will return a failure on
user authentication, even if the remote user authenticates with valid
credentials.

Launching the OpenVPN server manually (e.g. 'openvpn --config
/etc/openvpn/server.conf') does not result in the same problem, and the
user is able to authenticate.

On user authentication, OpenVPN will log the following:

AUTH-PAM: BACKGROUND: user 'vpnuser' failed to authenticate: System
error

and in /var/log/auth.log, the following will be logged:

PAM audit_log_acct_message() failed: Operation not permitted

CAUSE: The openvpn at .service unit file is too restrictive. The
CapabilityBoundingSet parameter in /lib/systemd/system/openvpn at .service
does not provide sufficient capabilities for the OpenVPN process to
authenticate using PAM.

SOLUTION: Adding the option CAP_AUDIT_WRITE to the CapabilityBoundingSet
parameter in the openvpn at .service unit file resolves the problem and
allows OpenVPN to authenticate properly using PAM.

PROPOSED: Change the shipped openvpn at .service unit file to include
CAP_AUDIT_WRITE in the CapabilityBoundingSet.

DETAILS:

Description:	Ubuntu 15.10
Release:	15.10

openvpn:
  Installed: 2.3.7-1ubuntu1
  Candidate: 2.3.7-1ubuntu1
  Version table:
 *** 2.3.7-1ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
        100 /var/lib/dpkg/status

** Affects: openvpn (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: openvpn pam

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openvpn in Ubuntu.
https://bugs.launchpad.net/bugs/1511524

Title:
  OpenVPN PAM authentication broken on 15.10 Server

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1511524/+subscriptions

More information about the Ubuntu-server-bugs mailing list