Bugzilla – Bug 1149870
ocserv authentication issue using pam
Last modified: 2021-07-09 17:08:20 UTC
openconnect server installed from OSS repo seems to have an issue when I enable pam authentication. Once pam authentication is enabled, when trying to authenticate, I get an error message after entering the username in my openconnect(or anyconnect) client. This error happens after I enter username, before I am given the chance to enter the password. Information for package ocserv: ------------------------------- Repository : Main Repository (OSS) Name : ocserv Version : 0.12.3-2.2 Arch : x86_64 Vendor : openSUSE Installed Size : 580.7 KiB Installed : Yes Status : up-to-date Source package : ocserv-0.12.3-2.2.src Summary : OpenConnect VPN Server Error logs: Sep 07 13:27:39 FW01 ocserv[2163]: note: setting 'pam' as primary authentication method Sep 07 13:28:28 FW01 ocserv[2170]: sec-mod: using 'pam' authentication to authenticate user (session: UOH64r) Sep 07 13:28:28 FW01 ocserv[2170]: pam_warn(ocserv:auth): function=[pam_sm_authenticate] flags=0 service=[ocserv] terminal=[<unknown>] user=[testuser] ruser=[<unknown>] rhost=[::ffff:101.12.26.69] Sep 07 13:28:28 FW01 ocserv[2170]: PAM-auth pam_auth_msg: Authentication failure Same error happens if I enable either pam or pam with gid-min option: #auth = "pam" #auth = "pam[gid-min=1000]" Other authentication methods I tested work without any issue: #auth = "plain[passwd=/etc/ocserv/ocpasswd]" #auth = "radius[config=/etc/radiusclient/radiusclient.conf]" I installed ocserv with all recommended packages per official documentation: https://gitlab.com/openconnect/ocserv/blob/master/README.md
(In reply to Mauro Gaspari from comment #0) > Sep 07 13:27:39 FW01 ocserv[2163]: note: setting 'pam' as primary > authentication method > Sep 07 13:28:28 FW01 ocserv[2170]: sec-mod: using 'pam' authentication to > authenticate user (session: UOH64r) > Sep 07 13:28:28 FW01 ocserv[2170]: pam_warn(ocserv:auth): > function=[pam_sm_authenticate] flags=0 service=[ocserv] terminal=[<unknown>] > user=[testuser] ruser=[<unknown>] rhost=[::ffff:101.12.26.69] > Sep 07 13:28:28 FW01 ocserv[2170]: PAM-auth pam_auth_msg: Authentication > failure Sounds like you don't have a PAM configuration file for ocserv.
(In reply to Thorsten Kukuk from comment #1) > (In reply to Mauro Gaspari from comment #0) > > Sep 07 13:27:39 FW01 ocserv[2163]: note: setting 'pam' as primary > > authentication method > > Sep 07 13:28:28 FW01 ocserv[2170]: sec-mod: using 'pam' authentication to > > authenticate user (session: UOH64r) > > Sep 07 13:28:28 FW01 ocserv[2170]: pam_warn(ocserv:auth): > > function=[pam_sm_authenticate] flags=0 service=[ocserv] terminal=[<unknown>] > > user=[testuser] ruser=[<unknown>] rhost=[::ffff:101.12.26.69] > > Sep 07 13:28:28 FW01 ocserv[2170]: PAM-auth pam_auth_msg: Authentication > > failure > > Sounds like you don't have a PAM configuration file for ocserv. I have reached out to the developer of ocserv, here is his reply. I hope it helps. "I suspect that the ocserv pam file needs to be different in tumbleweed. You may want to report to them as they may have copied the fedora pam file which may be incompatible. Normally PAM would print something in syslog when something is completely wrong, but it is not very user friendly."
Hmm... No idea why it's assigned to me, trying maintainer: $ obs bugowner -e ocserv Defined in project: network:vpn bugowner of ocserv : ndas@please-enter-an-email-address $ obs maintainer -e ocserv Defined in package: network:vpn/ocserv bugowner of ocserv : - maintainer of ocserv : duyizhaozj321@yahoo.com
/etc/pam.d/ocserv is not included in this package, you have to this file manually.
/etc/pam.d/ocserv is not included in this package, you have to create this file manually.