Tweet
Hello,
I faced a strange issue. Ubuntu 24.04—OpenVPN service has worked for a long time without any issues. I would like to add an MFA.
my openvpn pam
----------# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
-------------------------
sudo pamtester openvpn user authenticate
Password:
pamtester: successfully authenticated -
openldap test passed
in case I added the new line to the /etc/pam.d/openvpn
auth required /lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass
In this case, I passed pam test
sudo pamtester openvpn user authenticate
Password & verification code:
pamtester: successfully authenticated -
As far as I can see, in this case, there was no connection to the OpenLDAP service, and I can enter any password.
What is wrong ? Could you please help me ?
I faced a strange issue. Ubuntu 24.04—OpenVPN service has worked for a long time without any issues. I would like to add an MFA.
my openvpn pam
----------# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account sufficient pam_localuser.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# end of pam-auth-update config
-------------------------
sudo pamtester openvpn user authenticate
Password:
pamtester: successfully authenticated -
openldap test passed
in case I added the new line to the /etc/pam.d/openvpn
auth required /lib/x86_64-linux-gnu/security/pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=gauth forward_pass
In this case, I passed pam test
sudo pamtester openvpn user authenticate
Password & verification code:
pamtester: successfully authenticated -
As far as I can see, in this case, there was no connection to the OpenLDAP service, and I can enter any password.
What is wrong ? Could you please help me ?