Users can connect only once, if they reconnect they see "Authentication failure".

[kaskados1]

System information

Operating system (e.g. Ubuntu 22.04): Ubuntu 24.04.1 LTS
Do you use selinux? (check with e.g. sestatus): No

Steps to reproduce

1. Connect to 2FA VPN (LDAP + Google Auth) openvpn server first time - success.
2. Reconnect again - Authentication failure

What I expected would happen

Users should successfully connect to OpenVPN server every time, not only first time )

What actually happened

Authentication failure second time user connects. BUT if I remove "grace_period=18000" option in my PAM config - everything works like a charm ) Users successfully connect and reconnect as many times as they need.

PAM config

Paste the relevant parts of your PAM config

auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator debug user=root grace_period=18000 forward_pass

auth required pam_ldap.so use_first_pass

account sufficient pam_permit.so

If SSH: SSH config

Paste the relevant parts of /etc/ssh/sshd_config or equivalent.

paste here

If not SSH: That program's config, and logs

Ive got configured OpenVPN server. Should I attach tons of its logs here?)

Contents of /var/log/auth.log or equivalent

#AVUser connects first time
2024-12-19T17:32:27.925822+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: start of google_authenticator for "AVUser"
2024-12-19T17:32:27.926606+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: Secret file permissions are 0400. Allowed permissions are 0600
2024-12-19T17:32:27.926834+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: "/etc/openvpn/otp/AVUser.google_authenticator" read
2024-12-19T17:32:27.927270+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: shared secret in "/etc/openvpn/otp/AVUser.google_authenticator" processed
2024-12-19T17:32:27.927332+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: google_authenticator for host "192.168.136.226"
2024-12-19T17:32:27.927372+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: no scratch code used from "/etc/openvpn/otp/AVUser.google_authenticator"
2024-12-19T17:32:27.927428+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: Accepted google_authenticator for AVUser
2024-12-19T17:32:27.927473+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: google_authenticator for host "192.168.136.226"
2024-12-19T17:32:27.927513+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: "/etc/openvpn/otp/AVUser.google_authenticator" written
2024-12-19T17:32:27.927551+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: end of google_authenticator for "AVUser". Result: Success

#Reconnects
2024-12-19T17:32:41.231236+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: start of google_authenticator for "AVUser"
2024-12-19T17:32:41.231427+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: Secret file permissions are 0400. Allowed permissions are 0600
2024-12-19T17:32:41.231501+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: "/etc/openvpn/otp/AVUser.google_authenticator" read
2024-12-19T17:32:41.231565+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: shared secret in "/etc/openvpn/otp/AVUser.google_authenticator" processed
2024-12-19T17:32:41.232199+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: google_authenticator for host "192.168.136.226"
2024-12-19T17:32:41.232371+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: within grace period: "AVUser"
2024-12-19T17:32:41.232524+03:00 srv-dcb-ovpn2fa openvpn(pam_google_authenticator)[944]: debug: end of google_authenticator for "AVUser". Result: Success
2024-12-19T17:32:41.233281+03:00 srv-dcb-ovpn2fa openvpn[944]: pam_ldap(openvpn:auth): failed to get password: Authentication failure

#Auth fails ((

[ThomasHabets]

Ah, interesting. Because the user is in grace period, GA doesn't ask for a password. But because there's a following PAM module (pam_ldap), someone needs to ask for that password.

But pam_ldap doesn't ask for a password, because it has use_first_pass. So there's no password for it to check, and it fails.

It sounds like the right fix is for GA PAM module to ask for a password if forward_pass is provided, even if within grace period.

Could you try the ask-anyway branch I just submitted 061f4d2 to?

[kaskados1]

Excuse me for asking, but Im pretty rookie in here ) What does it mean "try the ask-anyway branch"? :)

[ThomasHabets]

You can check out a branch of the code with an experimental fix for what you need:

git clone https://github.com/google/google-authenticator-libpam
cd google-authenticator-libpam
git switch ask-anyway

Then compile as normal:

./bootstrap.sh
./configure
make

And maybe make install, if you want it installed in the default location. Note that if you didn't build the current version yourself, then you may have two versions installed. Which is fine, it's just that your PAM config may now need to give the full path to the new version.