OpenVPN PAM authentication broken on 15.10 Server

Bug #1511524 reported by Sean O'Connell on 2015-10-29
28
This bug affects 4 people
Affects Status Importance Assigned to Milestone
openvpn (Debian)
Fix Released
Unknown
openvpn (Ubuntu)
High
Unassigned

Bug Description

With OpenVPN 2.3.7 in server mode (config option 'mode server') on Ubuntu Server 15.10, using the PAM authentication plugin for client connections (config option 'plugin /usr/lib/openvpn/openvpn-plugin-auth-pam.so login') and launching the OpenVPN process via the systemd openvpn@ unit file (e.g. 'systemctl start openvpn@server', with a /etc/openvpn/server.conf config file) OpenVPN will return a failure on user authentication, even if the remote user authenticates with valid credentials.

Launching the OpenVPN server manually (e.g. 'openvpn --config /etc/openvpn/server.conf') does not result in the same problem, and the user is able to authenticate.

On user authentication, OpenVPN will log the following:

AUTH-PAM: BACKGROUND: user 'vpnuser' failed to authenticate: System error

and in /var/log/auth.log, the following will be logged:

PAM audit_log_acct_message() failed: Operation not permitted

CAUSE: The openvpn@.service unit file is too restrictive. The CapabilityBoundingSet parameter in /lib/systemd/system/openvpn@.service does not provide sufficient capabilities for the OpenVPN process to authenticate using PAM.

SOLUTION: Adding the option CAP_AUDIT_WRITE to the CapabilityBoundingSet parameter in the openvpn@.service unit file resolves the problem and allows OpenVPN to authenticate properly using PAM.

PROPOSED: Change the shipped openvpn@.service unit file to include CAP_AUDIT_WRITE in the CapabilityBoundingSet.

DETAILS:

Description: Ubuntu 15.10
Release: 15.10

openvpn:
  Installed: 2.3.7-1ubuntu1
  Candidate: 2.3.7-1ubuntu1
  Version table:
 *** 2.3.7-1ubuntu1 0
        500 http://us.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages
        100 /var/lib/dpkg/status

Robie Basak (racb) on 2015-11-05
tags: added: bitesize systemd-boot
Changed in openvpn (Ubuntu):
status: New → Triaged
importance: Undecided → High
Simon Déziel (sdeziel) wrote :

This was fixed in Debian in openvpn 2.3.10-1. This has already made it into Xenial 16.04.

Changed in openvpn (Ubuntu):
status: Triaged → Fix Committed
Martin Pitt (pitti) on 2016-02-01
Changed in openvpn (Ubuntu):
status: Fix Committed → Fix Released
Simon Déziel (sdeziel) wrote :

Thanks Martin. I didn't know we could use fix released until the official release was made.

Changed in openvpn (Debian):
status: Unknown → Fix Released
Rob (r0binary) wrote :

Hi, I do see see the exact same problem on Ubuntu 16.04 with OpenVPN 2.4.3
Should I create a separate ticket for that?

Simon Déziel (sdeziel) wrote :

@r0binary, 16.04 doesn't ship with OpenVPN 2.4.3 so you should report the bug to those who provided your package.

Rob (r0binary) wrote :

@sdeziel Sorry I made a mistake figuring out my distro. I finally downgraded to the last stable OpenVPN package which works as expected. Thanks very much for clarification

Björn Michael (bjmi) wrote :

Hi, I do see see the exact same problem on Ubuntu 17.10 with OpenVPN 2.4.3
Should I create a separate ticket for that?

Stepan Motin (smotin) wrote :

Confirm. The same problem in Ubuntu 18.04 Bionic with OpenVPN 2.4.4, and the same solution - had to add CAP_AUDIT_WRITE into CapabilityBoundingSet parameter in /lib/systemd/system/openvpn@.service.

hboetes (hboetes) wrote :

I can confirm @smotin 's report.

This can also be found here:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866523

Andreas Ntaflos (daff) wrote :

This is still a problem in Ubuntu 18.04.

Note: systemd unit files provided by packages should not be modified by the user after installation, instead systemd's drop-in feature should be used.

The proper workaround for this bug is to create the file /etc/systemd/system/openvpn@.service.d/10-pam-capability-fix.conf with the following contents (notice the added CAP_AUDIT_WRITE keyword):

[Service]
CapabilityBoundingSet=
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_OVERRIDE CAP_AUDIT_WRITE

Afterwards issue "systemctl daemon-reload" to make systemd aware of the drop-in and then restart the OpenVPN service.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.