Package: openvpn Version: 2.0.9-4 Severity: important Hi,
here's a strange behaviour of openvpn-auth-pam.so in openvpn-2.0.9-4: If I run openvpn from the shell without daemonizing it, openvpn-auth-pam.so works well even with pam_access.so enabled. My openvpn config contains: plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn /etc/pam.d/openvpn is like this: # Standard Un*x authentication. @include common-auth account required pam_access.so # Standard Un*x account and session @include common-account @include common-session @include common-password which enabled me to grant or deny access by /etc/security/access.conf: +:root vsauer:ALL -:ALL:ALL As I already said, this perfectly works when openvpn is not daemonized. *If* openvpn *is* daemonized, I get: Dec 3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]: 130.83.208.238:32771 PLUGIN_CALL: PRE type=PLUGIN_AUTH_USER_PASS_VERIFY Dec 3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]: 130.83.208.238:32771 ARGV[0] = '/usr/lib/openvpn/openvpn-auth-pam.so' Dec 3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]: 130.83.208.238:32771 ENVP[0] = 'untrusted_port=32771' Dec 3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]: 130.83.208.238:32771 ENVP[1] = 'untrusted_ip=130.83.208.238' Dec 3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]: 130.83.208.238:32771 ENVP[2] = 'password=XXXXXXXXXXX' Dec 3 23:58:22 suez ovpn-01-default-dvs1_bridging-port_53[1421]: 130.83.208.238:32771 NOTE: --mute triggered... Dec 3 23:58:23 suez ovpn-01-default-dvs1_bridging-port_53[1421]: 130.83.208.238:32771 11 variation(s) on previous 5 message(s) suppressed by --mute Dec 3 23:58:23 suez ovpn-01-default-dvs1_bridging-port_53[1421]: 130.83.208.238:32771 PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 Dec 3 23:58:23 suez ovpn-01-default-dvs1_bridging-port_53[1421]: 130.83.208.238:32771 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-pam.so Dec 3 23:58:23 suez ovpn-01-default-dvs1_bridging-port_53[1421]: 130.83.208.238:32771 TLS Auth Error: Auth Username/Password verification failed for peer Removing "account required pam_access.so" from /etc/pam.d/openvpn solves the problem, but disables me to limit access to certain nis-groups, which is not good. I looked into the source code of openvpn-auth-pam.so and I see, that there's a method static void daemonize (const char *envp[]) which seems to be called when openvpn is daemonized. But I don't understand it. Maybe someone could give me a hint what's going on here? Regards Volker -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (990, 'stable'), (800, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.21-i686-dvs1-1-preempt (PREEMPT) Locale: [EMAIL PROTECTED], LC_CTYPE=de_DE (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages openvpn depends on: ii debconf 1.5.16 Debian configuration management sy ii libc6 2.6.1-1+b1 GNU C Library: Shared libraries ii liblzo1 1.08-3 data compression library (old vers ii libssl0.9.7 0.9.7k-3.1etch1 SSL shared libraries openvpn recommends no packages. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
