Public bug reported: With OpenVPN 2.3.7 in server mode (config option 'mode server') on Ubuntu Server 15.10, using the PAM authentication plugin for client connections (config option 'plugin /usr/lib/openvpn/openvpn-plugin-auth- pam.so login') and launching the OpenVPN process via the systemd openvpn@ unit file (e.g. 'systemctl start openvpn@server', with a /etc/openvpn/server.conf config file) OpenVPN will return a failure on user authentication, even if the remote user authenticates with valid credentials.
Launching the OpenVPN server manually (e.g. 'openvpn --config /etc/openvpn/server.conf') does not result in the same problem, and the user is able to authenticate. On user authentication, OpenVPN will log the following: AUTH-PAM: BACKGROUND: user 'vpnuser' failed to authenticate: System error and in /var/log/auth.log, the following will be logged: PAM audit_log_acct_message() failed: Operation not permitted CAUSE: The [email protected] unit file is too restrictive. The CapabilityBoundingSet parameter in /lib/systemd/system/[email protected] does not provide sufficient capabilities for the OpenVPN process to authenticate using PAM. SOLUTION: Adding the option CAP_AUDIT_WRITE to the CapabilityBoundingSet parameter in the [email protected] unit file resolves the problem and allows OpenVPN to authenticate properly using PAM. PROPOSED: Change the shipped [email protected] unit file to include CAP_AUDIT_WRITE in the CapabilityBoundingSet. DETAILS: Description: Ubuntu 15.10 Release: 15.10 openvpn: Installed: 2.3.7-1ubuntu1 Candidate: 2.3.7-1ubuntu1 Version table: *** 2.3.7-1ubuntu1 0 500 http://us.archive.ubuntu.com/ubuntu/ wily/main amd64 Packages 100 /var/lib/dpkg/status ** Affects: openvpn (Ubuntu) Importance: Undecided Status: New ** Tags: openvpn pam -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1511524 Title: OpenVPN PAM authentication broken on 15.10 Server To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1511524/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
