我正在尝试在 Ubuntu Server 15.04 上运行的 openVPN 实例上设置 PAM 身份验证,但我一直收到身份验证失败错误,我是否遗漏了什么?
服务器配置文件
port 1194
proto udp
dev tun
sndbuf 0
rcvbuf 0
ca ca.crt
cert server.crt
key server.key
dh dh.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 0
crl-verify crl.pem
plugin /etc/openvpn/openvpn-plugin-auth-pam.so login
log-append /var/log/openvpn.log
客户端配置文件
client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote my.server 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
auth-user-pass
<ca>
</ca>
<cert>
</cert>
<key>
</key>
服务器日志文件
AUTH-PAM: BACKGROUND: user 'paul' failed to authenticate: System error
Sun Mar 13 16:41:02 2016 86.137.55.234:49377 PLUGIN_CALL: plugin
function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1:
/etc/openvpn/openvpn-plugin-auth-pam.so
客户端日志文件
Sun Mar 13 19:47:43 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb 1 2016
Sun Mar 13 19:47:43 2016 Windows version 6.1 (Windows 7)
Sun Mar 13 19:47:43 2016 library versions: OpenSSL 1.0.1r 28 Jan 2016, LZO 2.09
Enter Management Password:
Sun Mar 13 19:47:43 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
Sun Mar 13 19:47:43 2016 Need hold release from management interface, waiting...
Sun Mar 13 19:47:43 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
Sun Mar 13 19:47:44 2016 MANAGEMENT: CMD 'state on'
Sun Mar 13 19:47:44 2016 MANAGEMENT: CMD 'log all on'
Sun Mar 13 19:47:44 2016 MANAGEMENT: CMD 'hold off'
Sun Mar 13 19:47:44 2016 MANAGEMENT: CMD 'hold release'
Sun Mar 13 19:47:52 2016 MANAGEMENT: CMD 'username "Auth" "paul"'
Sun Mar 13 19:47:52 2016 MANAGEMENT: CMD 'password [...]'
Sun Mar 13 19:47:53 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Mar 13 19:47:53 2016 UDPv4 link local: [undef]
Sun Mar 13 19:47:53 2016 UDPv4 link remote: [AF_INET]my.server:1194
Sun Mar 13 19:47:53 2016 MANAGEMENT: >STATE:1457898473,WAIT,,,
Sun Mar 13 19:47:53 2016 MANAGEMENT: >STATE:1457898473,AUTH,,,
Sun Mar 13 19:47:53 2016 TLS: Initial packet from [AF_INET]my.server:1194, sid=12745e68 d8548adf
Sun Mar 13 19:47:53 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Mar 13 19:47:53 2016 VERIFY OK: depth=1, CN=ChangeMe
Sun Mar 13 19:47:53 2016 Validating certificate key usage
Sun Mar 13 19:47:53 2016 ++ Certificate has key usage 00a0, expects 00a0
Sun Mar 13 19:47:53 2016 VERIFY KU OK
Sun Mar 13 19:47:53 2016 Validating certificate extended key usage
Sun Mar 13 19:47:53 2016 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Mar 13 19:47:53 2016 VERIFY EKU OK
Sun Mar 13 19:47:53 2016 VERIFY OK: depth=0, CN=server
Sun Mar 13 19:47:53 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Mar 13 19:47:53 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 13 19:47:53 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Sun Mar 13 19:47:53 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Mar 13 19:47:53 2016 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 DHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Sun Mar 13 19:47:53 2016 [server] Peer Connection Initiated with [AF_INET]my.server:1194
Sun Mar 13 19:47:54 2016 MANAGEMENT: >STATE:1457898474,GET_CONFIG,,,
Sun Mar 13 19:47:55 2016 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Sun Mar 13 19:47:56 2016 AUTH: Received control message: AUTH_FAILED
Sun Mar 13 19:47:56 2016 SIGUSR1[soft,auth-failure] received, process restarting
Sun Mar 13 19:47:56 2016 MANAGEMENT: >STATE:1457898476,RECONNECTING,auth-failure,,
Sun Mar 13 19:47:56 2016 Restart pause, 2 second(s)
详细服务器日志 http://pastebin.com/30ivbrWH(这篇文章太长了)
登录 pam.d 配置是系统自带的标准配置
答案1
在 openvpn 服务器上安装 saslauthd
# aptitude install sasl2-bin
启动守护进程
# saslauthd -d -a pam -m /var/run/saslauthd/
进行简单身份验证
# testsaslauthd -u paul -p 1234567 -s login
结果必须是
0: OK "Success."
答案2
尝试将“username-as-common-name”添加到 server.conf。