Hi.
I'm trying to set up MFA with google authenticator for OpenVPN on a newly installed Oracle Linux 8 server. This setup is exactly the same as for 4 other servers I've set up earlier with CentOS 8. Meaning that four more or less identical setups with, as far as I can tell, identical permissions on Centos8 is working without problems.
When I try to log in, I get this in the journald log. Same problem for all users I've tried.
openvpn(pam_google_authenticator)[78599]: Failed to read "/home/harald25/.google_authenticator" for "harald25"
openvpn[78597]: AUTH-PAM: BACKGROUND: my_conv[0] query='Password & verification code: ' style=1
openvpn(pam_google_authenticator)[78599]: No secret configured for user harald25, asking for code anyway.
openvpn(pam_google_authenticator)[78599]: Invalid verification code for harald25
openvpn(pam_google_authenticator)[78599]: debug: end of google_authenticator for "harald25". Result: Authentication failure
'ls -la /home/harald25/.google_authenticator' give me:
-r-------- 1 harald25 1063000000 215 Mar 31 09:24 /home/harald25/.google_authenticator
'ls -l /home' gives:
drwx------. 2 harald25 harald25 72 Mar 31 11:00 harald25
SELinux is disabled. The home directory is not encrypted. Changing permissions on home folder and secret file to 777 gives the exact same error. Not even a mention about permissions being too permissive.
Version:
dnf list installed | grep google
google-authenticator.x86_64 1.07-1.el8 @ol8_developer_EPEL
I'm using the OpenVPN pam plugin (from /etc/openvpn/server/mfa_udp.conf):
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
The OpenVPN PAM config file looks like this:
auth required pam_google_authenticator.so debug forward_pass
auth required pam_sss.so use_first_pass
password required pam_sss.so
account required pam_sss.so
Changing it to this works:
auth required pam_sss.so
password required pam_sss.so
account required pam_sss.so
So I know that the authentication with FreeIPA via SSS is working correctly.
I'm not sure where to proceed from here. Any tips will be greatly appreciated!
Hi.
I'm trying to set up MFA with google authenticator for OpenVPN on a newly installed Oracle Linux 8 server. This setup is exactly the same as for 4 other servers I've set up earlier with CentOS 8. Meaning that four more or less identical setups with, as far as I can tell, identical permissions on Centos8 is working without problems.
When I try to log in, I get this in the journald log. Same problem for all users I've tried.
'ls -la /home/harald25/.google_authenticator' give me:
'ls -l /home' gives:
SELinux is disabled. The home directory is not encrypted. Changing permissions on home folder and secret file to 777 gives the exact same error. Not even a mention about permissions being too permissive.
Version:
dnf list installed | grep googlegoogle-authenticator.x86_64 1.07-1.el8 @ol8_developer_EPELI'm using the OpenVPN pam plugin (from /etc/openvpn/server/mfa_udp.conf):
The OpenVPN PAM config file looks like this:
Changing it to this works:
So I know that the authentication with FreeIPA via SSS is working correctly.
I'm not sure where to proceed from here. Any tips will be greatly appreciated!