Bug 1149870 - ocserv authentication issue using pam
ocserv authentication issue using pam
Status: NEW
Classification: openSUSE
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Other
Current
x86-64 Other
: P5 - None : Normal (vote)
: ---
Assigned To: Michael Du
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-07 09:14 UTC by Mauro Gaspari
Modified: 2021-07-09 17:08 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Mauro Gaspari 2019-09-07 09:14:09 UTC
openconnect server installed from OSS repo seems to have an issue when I enable pam authentication. Once pam authentication is enabled, when trying to authenticate, I get an error message after entering the username in my openconnect(or anyconnect) client. This error happens after I enter username, before I am given the chance to enter the password.

Information for package ocserv:
-------------------------------
Repository     : Main Repository (OSS) 
Name           : ocserv                
Version        : 0.12.3-2.2            
Arch           : x86_64                
Vendor         : openSUSE              
Installed Size : 580.7 KiB             
Installed      : Yes                   
Status         : up-to-date            
Source package : ocserv-0.12.3-2.2.src 
Summary        : OpenConnect VPN Server

Error logs:

Sep 07 13:27:39 FW01 ocserv[2163]: note: setting 'pam' as primary authentication method
Sep 07 13:28:28 FW01 ocserv[2170]: sec-mod: using 'pam' authentication to authenticate user (session: UOH64r)
Sep 07 13:28:28 FW01 ocserv[2170]: pam_warn(ocserv:auth): function=[pam_sm_authenticate] flags=0 service=[ocserv] terminal=[<unknown>] user=[testuser] ruser=[<unknown>] rhost=[::ffff:101.12.26.69]
Sep 07 13:28:28 FW01 ocserv[2170]: PAM-auth pam_auth_msg: Authentication failure


Same error happens if I enable either pam or pam with gid-min option:
#auth = "pam"
#auth = "pam[gid-min=1000]"


Other authentication methods I tested work without any issue:
#auth = "plain[passwd=/etc/ocserv/ocpasswd]"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf]"

I installed ocserv with all recommended packages per official documentation:
https://gitlab.com/openconnect/ocserv/blob/master/README.md
Comment 1 Thorsten Kukuk 2019-09-09 08:04:56 UTC
(In reply to Mauro Gaspari from comment #0)
> Sep 07 13:27:39 FW01 ocserv[2163]: note: setting 'pam' as primary
> authentication method
> Sep 07 13:28:28 FW01 ocserv[2170]: sec-mod: using 'pam' authentication to
> authenticate user (session: UOH64r)
> Sep 07 13:28:28 FW01 ocserv[2170]: pam_warn(ocserv:auth):
> function=[pam_sm_authenticate] flags=0 service=[ocserv] terminal=[<unknown>]
> user=[testuser] ruser=[<unknown>] rhost=[::ffff:101.12.26.69]
> Sep 07 13:28:28 FW01 ocserv[2170]: PAM-auth pam_auth_msg: Authentication
> failure

Sounds like you don't have a PAM configuration file for ocserv.
Comment 2 Mauro Gaspari 2019-09-09 08:19:47 UTC
(In reply to Thorsten Kukuk from comment #1)
> (In reply to Mauro Gaspari from comment #0)
> > Sep 07 13:27:39 FW01 ocserv[2163]: note: setting 'pam' as primary
> > authentication method
> > Sep 07 13:28:28 FW01 ocserv[2170]: sec-mod: using 'pam' authentication to
> > authenticate user (session: UOH64r)
> > Sep 07 13:28:28 FW01 ocserv[2170]: pam_warn(ocserv:auth):
> > function=[pam_sm_authenticate] flags=0 service=[ocserv] terminal=[<unknown>]
> > user=[testuser] ruser=[<unknown>] rhost=[::ffff:101.12.26.69]
> > Sep 07 13:28:28 FW01 ocserv[2170]: PAM-auth pam_auth_msg: Authentication
> > failure
> 
> Sounds like you don't have a PAM configuration file for ocserv.

I have reached out to the developer of ocserv, here is his reply. I hope it helps.

"I suspect that the ocserv pam file needs to be different in tumbleweed. You may want to report to them as they may have copied the fedora pam file which may be incompatible. Normally PAM would print something in syslog when something is completely wrong, but it is not very user friendly."
Comment 3 Marius Tomaschewski 2020-09-17 13:44:39 UTC
Hmm... No idea why it's assigned to me, trying maintainer:

$ obs bugowner -e ocserv
Defined in project:  network:vpn
  bugowner of ocserv : 
   ndas@please-enter-an-email-address

$ obs maintainer -e ocserv
Defined in package: network:vpn/ocserv 
  bugowner of ocserv : 
   -

  maintainer of ocserv : 
   duyizhaozj321@yahoo.com
Comment 4 Michael Du 2021-07-09 17:07:10 UTC
/etc/pam.d/ocserv is not included in this package, you have to this file manually.
Comment 5 Michael Du 2021-07-09 17:08:20 UTC
/etc/pam.d/ocserv is not included in this package, you have to create this file manually.