Users can connect only once, if they reconnect they see "Authentication failure". #262
Description
System information
Operating system (e.g. Ubuntu 22.04): Ubuntu 24.04.1 LTS
Do you use selinux? (check with e.g. sestatus): No
Steps to reproduce
- Connect to 2FA VPN (LDAP + Google Auth) openvpn server first time - success.
- Reconnect again - Authentication failure
What I expected would happen
Users should successfully connect to OpenVPN server every time, not only first time )
What actually happened
Authentication failure second time user connects. BUT if I remove "grace_period=18000" option in my PAM config - everything works like a charm ) Users successfully connect and reconnect as many times as they need.
PAM config
Paste the relevant parts of your PAM config
auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator debug user=root grace_period=18000 forward_pass
auth required pam_ldap.so use_first_pass
account sufficient pam_permit.so
If SSH: SSH config
Paste the relevant parts of /etc/ssh/sshd_config or equivalent.
paste here
If not SSH: That program's config, and logs
Ive got configured OpenVPN server. Should I attach tons of its logs here?)
Contents of /var/log/auth.log or equivalent
#AVUser connects first time
2024-12-19T17:32:27.925822+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: start of google_authenticator for "AVUser"
2024-12-19T17:32:27.926606+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: Secret file permissions are 0400. Allowed permissions are 0600
2024-12-19T17:32:27.926834+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: "/etc/openvpn/otp/AVUser.google_authenticator" read
2024-12-19T17:32:27.927270+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: shared secret in "/etc/openvpn/otp/AVUser.google_authenticator" processed
2024-12-19T17:32:27.927332+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: google_authenticator for host "192.168.136.226"
2024-12-19T17:32:27.927372+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: no scratch code used from "/etc/openvpn/otp/AVUser.google_authenticator"
2024-12-19T17:32:27.927428+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: Accepted google_authenticator for AVUser
2024-12-19T17:32:27.927473+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: google_authenticator for host "192.168.136.226"
2024-12-19T17:32:27.927513+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: "/etc/openvpn/otp/AVUser.google_authenticator" written
2024-12-19T17:32:27.927551+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: end of google_authenticator for "AVUser". Result: Success
#Reconnects
2024-12-19T17:32:41.231236+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: start of google_authenticator for "AVUser"
2024-12-19T17:32:41.231427+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: Secret file permissions are 0400. Allowed permissions are 0600
2024-12-19T17:32:41.231501+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: "/etc/openvpn/otp/AVUser.google_authenticator" read
2024-12-19T17:32:41.231565+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: shared secret in "/etc/openvpn/otp/AVUser.google_authenticator" processed
2024-12-19T17:32:41.232199+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: google_authenticator for host "192.168.136.226"
2024-12-19T17:32:41.232371+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: within grace period: "AVUser"
2024-12-19T17:32:41.232524+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: end of google_authenticator for "AVUser". Result: Success
2024-12-19T17:32:41.233281+03:00 srv-dcb-ovpn2fa openvpn[944]: pam_ldap(openvpn:auth): failed to get password: Authentication failure
#Auth fails ((