Forums

Resolved
0 votes
Hi All,

Everytime when I connect with my android smartphone to the openvpn server on clearos7/1 I get the following line in the secure log:

openvpn[26809]: pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=victor


This becomes also visible on the clearos-dashboard events and notification list as a warning and is very annoying to me.


The openvpn connection works fine.:D

I think that authentication through ldap goes well, but that pam_unix says authentication failure for local user "victor".

Can somebody help me to get rid of these pam_unix authentication failures?


Regards,

Victor
In VPN
Friday, October 16 2015, 05:59 PM
Share this post:
Responses (7)
  • Accepted Answer

    Tuesday, March 12 2019, 11:50 AM - #Permalink
    Resolved
    0 votes
    Thanks Nick.

    I looked at the earlier posts and threads and it's to technical for me. I had hoped that it should work without errors out of the box, so I suppose I have to live with it. After all, no harm.

    /Sven
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, February 26 2019, 03:09 PM - #Permalink
    Resolved
    0 votes
    To stop all that rubbish logging you need to edit your /etc/pam.d/password-auth-ac.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, February 26 2019, 02:56 PM - #Permalink
    Resolved
    0 votes
    Hi,
    On a newly installed ClearOS 7.5 I get the same entries in the security log. It seems one for each access, despite it is succesful.

    /Sven
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, October 18 2015, 01:16 PM - #Permalink
    Resolved
    0 votes
    It looks like you've taken the contents from the post I linked to as you've also changed the use_first_pass and try_first_pass parameters. I tried researching them yesterday in the pam manual but I'm still unclear which should really be used when.

    Note in the linked post I also did the same change to /etc/pam.d/system-auth-ac.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, October 18 2015, 10:41 AM - #Permalink
    Resolved
    0 votes
    Thank you both for your answers.


    Since the password-auth-ac is autogenerated, I tried to make a filter for rsyslog first,

    :msg, contains, "pam_unix(openvpn:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=victor" ~


    The "authentication failure" message dissappeared from the secure log, but was still visible in the dashboard notification view.

    Maybe the filter is not correct and/or I do not understand how it works.



    Then, I changed the password-auth-ac to do the "pam_ldap authentication" first.

    I now no longer see/get the authentication failures in the dashboard.

    This is how the password-auth-ac looks lke now:

    #%PAM-1.0
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth required pam_env.so
    auth sufficient pam_ldap.so try_first_pass
    auth sufficient pam_unix.so nullok use_first_pass
    auth requisite pam_succeed_if.so uid >= 1000 quiet_success
    auth required pam_deny.so

    account required pam_unix.so broken_shadow
    account sufficient pam_localuser.so
    account sufficient pam_succeed_if.so uid < 1000 quiet
    account [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account required pam_permit.so

    password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
    password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
    password sufficient pam_ldap.so use_authtok
    password required pam_deny.so

    session optional pam_keyinit.so revoke
    session required pam_limits.so
    -session optional pam_systemd.so
    session optional pam_mkhomedir.so umask=0077
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session optional pam_ldap.so



    Kind regards,

    Victor
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, October 17 2015, 07:50 AM - #Permalink
    Resolved
    0 votes
    I've posted to the bug as well, but there is this very old thread with some small edits you can make to /etc/pam.d/password-auth-ac and /etc/pam.d/system-auth-ac which massively cuts down on pam noise. Largely it appears to push ldap authentication to the top of the list so proper users get authenticated against ldap (which passes) before the other methods (which fail) and proper user authentication was the main source of noise in the pam log.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, October 17 2015, 02:38 AM - #Permalink
    Resolved
    0 votes
    Hi Victor,

    I created a couple of tracker items on this issue:

    - Authentication failure events need to be reviewed. It's not unusual to see a lot of authentication failures and that in turn could overwhelm the event system.

    - OpenVPN pam_unix authentication failures

    Those will get triaged like all other tracker issues.
    The reply is currently minimized Show
Your Reply