OpenVPN PAM authentication broken on 15.10 Server
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openvpn (Debian) |
Fix Released
|
Unknown
|
|||
openvpn (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
With OpenVPN 2.3.7 in server mode (config option 'mode server') on Ubuntu Server 15.10, using the PAM authentication plugin for client connections (config option 'plugin /usr/lib/
Launching the OpenVPN server manually (e.g. 'openvpn --config /etc/openvpn/
On user authentication, OpenVPN will log the following:
AUTH-PAM: BACKGROUND: user 'vpnuser' failed to authenticate: System error
and in /var/log/auth.log, the following will be logged:
PAM audit_log_
CAUSE: The openvpn@.service unit file is too restrictive. The CapabilityBound
SOLUTION: Adding the option CAP_AUDIT_WRITE to the CapabilityBound
PROPOSED: Change the shipped openvpn@.service unit file to include CAP_AUDIT_WRITE in the CapabilityBound
DETAILS:
Description: Ubuntu 15.10
Release: 15.10
openvpn:
Installed: 2.3.7-1ubuntu1
Candidate: 2.3.7-1ubuntu1
Version table:
*** 2.3.7-1ubuntu1 0
500 http://
100 /var/lib/
tags: | added: bitesize systemd-boot |
Changed in openvpn (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in openvpn (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in openvpn (Debian): | |
status: | Unknown → Fix Released |
This was fixed in Debian in openvpn 2.3.10-1. This has already made it into Xenial 16.04.