OpenVPN PAM authentication broken on 15.10 Server
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| openvpn (Debian) |
Fix Released
|
Unknown
|
||
| openvpn (Ubuntu) |
High
|
Unassigned |
Bug Description
With OpenVPN 2.3.7 in server mode (config option 'mode server') on Ubuntu Server 15.10, using the PAM authentication plugin for client connections (config option 'plugin /usr/lib/
Launching the OpenVPN server manually (e.g. 'openvpn --config /etc/openvpn/
On user authentication, OpenVPN will log the following:
AUTH-PAM: BACKGROUND: user 'vpnuser' failed to authenticate: System error
and in /var/log/auth.log, the following will be logged:
PAM audit_log_
CAUSE: The openvpn@.service unit file is too restrictive. The CapabilityBound
SOLUTION: Adding the option CAP_AUDIT_WRITE to the CapabilityBound
PROPOSED: Change the shipped openvpn@.service unit file to include CAP_AUDIT_WRITE in the CapabilityBound
DETAILS:
Description: Ubuntu 15.10
Release: 15.10
openvpn:
Installed: 2.3.7-1ubuntu1
Candidate: 2.3.7-1ubuntu1
Version table:
*** 2.3.7-1ubuntu1 0
500 http://
100 /var/lib/
tags: | added: bitesize systemd-boot |
Changed in openvpn (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in openvpn (Ubuntu): | |
status: | Fix Committed → Fix Released |
Simon Déziel (sdeziel) wrote : | #2 |
Thanks Martin. I didn't know we could use fix released until the official release was made.
Changed in openvpn (Debian): | |
status: | Unknown → Fix Released |
Rob (r0binary) wrote : | #3 |
Hi, I do see see the exact same problem on Ubuntu 16.04 with OpenVPN 2.4.3
Should I create a separate ticket for that?
Simon Déziel (sdeziel) wrote : | #4 |
@r0binary, 16.04 doesn't ship with OpenVPN 2.4.3 so you should report the bug to those who provided your package.
Rob (r0binary) wrote : | #5 |
@sdeziel Sorry I made a mistake figuring out my distro. I finally downgraded to the last stable OpenVPN package which works as expected. Thanks very much for clarification
Björn (bjmi) wrote : | #6 |
Hi, I do see see the exact same problem on Ubuntu 17.10 with OpenVPN 2.4.3
Should I create a separate ticket for that?
Stepan Motin (smotin) wrote : | #7 |
Confirm. The same problem in Ubuntu 18.04 Bionic with OpenVPN 2.4.4, and the same solution - had to add CAP_AUDIT_WRITE into CapabilityBound
hboetes (hboetes) wrote : | #8 |
I can confirm @smotin 's report.
This can also be found here:
Andreas Ntaflos (daff) wrote : | #9 |
This is still a problem in Ubuntu 18.04.
Note: systemd unit files provided by packages should not be modified by the user after installation, instead systemd's drop-in feature should be used.
The proper workaround for this bug is to create the file /etc/systemd/
[Service]
CapabilityBound
CapabilityBound
Afterwards issue "systemctl daemon-reload" to make systemd aware of the drop-in and then restart the OpenVPN service.
This was fixed in Debian in openvpn 2.3.10-1. This has already made it into Xenial 16.04.