Hi All,
Everytime when I connect with my android smartphone to the openvpn server on clearos7/1 I get the following line in the secure log:
This becomes also visible on the clearos-dashboard events and notification list as a warning and is very annoying to me.
The openvpn connection works fine.
I think that authentication through ldap goes well, but that pam_unix says authentication failure for local user "victor".
Can somebody help me to get rid of these pam_unix authentication failures?
Regards,
Victor
Everytime when I connect with my android smartphone to the openvpn server on clearos7/1 I get the following line in the secure log:
openvpn[26809]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=victor
This becomes also visible on the clearos-dashboard events and notification list as a warning and is very annoying to me.
The openvpn connection works fine.
I think that authentication through ldap goes well, but that pam_unix says authentication failure for local user "victor".
Can somebody help me to get rid of these pam_unix authentication failures?
Regards,
Victor
In VPN
Share this post:
Responses (7)
-
Accepted Answer
Hi Victor,
I created a couple of tracker items on this issue:
- Authentication failure events need to be reviewed. It's not unusual to see a lot of authentication failures and that in turn could overwhelm the event system.
- OpenVPN pam_unix authentication failures
Those will get triaged like all other tracker issues. -
Accepted Answer
I've posted to the bug as well, but there is this very old thread with some small edits you can make to /etc/pam.d/password-auth-ac and /etc/pam.d/system-auth-ac which massively cuts down on pam noise. Largely it appears to push ldap authentication to the top of the list so proper users get authenticated against ldap (which passes) before the other methods (which fail) and proper user authentication was the main source of noise in the pam log. -
Accepted Answer
Thank you both for your answers.
Since the password-auth-ac is autogenerated, I tried to make a filter for rsyslog first,
:msg, contains, "pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost= user=victor" ~
The "authentication failure" message dissappeared from the secure log, but was still visible in the dashboard notification view.
Maybe the filter is not correct and/or I do not understand how it works.
Then, I changed the password-auth-ac to do the "pam_ldap authentication" first.
I now no longer see/get the authentication failures in the dashboard.
This is how the password-auth-ac looks lke now:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_ldap.so try_first_pass
auth sufficient pam_unix.so nullok use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
Kind regards,
Victor -
Accepted Answer
It looks like you've taken the contents from the post I linked to as you've also changed the use_first_pass and try_first_pass parameters. I tried researching them yesterday in the pam manual but I'm still unclear which should really be used when.
Note in the linked post I also did the same change to /etc/pam.d/system-auth-ac. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »