Failed to read .google_authenticator for user, but permissions seem correct

[harald25]

Hi.
I'm trying to set up MFA with google authenticator for OpenVPN on a newly installed Oracle Linux 8 server. This setup is exactly the same as for 4 other servers I've set up earlier with CentOS 8. Meaning that four more or less identical setups with, as far as I can tell, identical permissions on Centos8 is working without problems.

When I try to log in, I get this in the journald log. Same problem for all users I've tried.

openvpn(pam_google_authenticator)[78599]: Failed to read "/home/harald25/.google_authenticator" for "harald25"
openvpn[78597]: AUTH-PAM: BACKGROUND: my_conv[0] query='Password & verification code: ' style=1
openvpn(pam_google_authenticator)[78599]: No secret configured for user harald25, asking for code anyway.
openvpn(pam_google_authenticator)[78599]: Invalid verification code for harald25
openvpn(pam_google_authenticator)[78599]: debug: end of google_authenticator for "harald25". Result: Authentication failure

'ls -la /home/harald25/.google_authenticator' give me:

-r-------- 1 harald25 1063000000 215 Mar 31 09:24 /home/harald25/.google_authenticator

'ls -l /home' gives:

drwx------. 2 harald25 harald25 72 Mar 31 11:00 harald25

SELinux is disabled. The home directory is not encrypted. Changing permissions on home folder and secret file to 777 gives the exact same error. Not even a mention about permissions being too permissive.

Version:
dnf list installed | grep google
google-authenticator.x86_64 1.07-1.el8 @ol8_developer_EPEL

I'm using the OpenVPN pam plugin (from /etc/openvpn/server/mfa_udp.conf):

plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn

The OpenVPN PAM config file looks like this:

auth required pam_google_authenticator.so debug forward_pass
auth required pam_sss.so use_first_pass
password required pam_sss.so
account required pam_sss.so

Changing it to this works:

auth required pam_sss.so
password required pam_sss.so
account required pam_sss.so

So I know that the authentication with FreeIPA via SSS is working correctly.

I'm not sure where to proceed from here. Any tips will be greatly appreciated!

[ThomasHabets]

Did you try the secret= option to the secrets somewhere outside of /home, just in case there's some security thing preventing /home files?

[harald25]

Did you try the secret= option to the secrets somewhere outside of /home, just in case there's some security thing preventing /home files?

I did. I can see that the new path was picked up, because it changes in the log, but still the same access problem.

But, I just found out that starting OpenVPN "manually" from the command line as root fixes the problem. Letting systemctl start openvpn as a service results in this problem. I also discovered this in /var/log/audit/audit.log when I try logging in and it fails:

type=USER_AUTH msg=audit(1648722591.384:104370): pid=83667 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="harald25" exe="/usr/sbin/openvpn" hostname=? addr=? terminal=? res=failed'UID="root" AUID="unset"

Which changes to this when I run as root and logging in works:

type=USER_AUTH msg=audit(1648722789.804:104388): pid=83789 uid=0 auid=0 ses=3440 msg='op=PAM:authentication grantors=pam_google_authenticator,pam_sss acct="harald25" exe="/usr/sbin/openvpn" hostname=fqdn.somedomain.com addr=? terminal=pts/2 res=success'^]UID="root" AUID="root"

So I guess this is not a problem with google-authenticator-libpam, and rather something to do with how OpenVPN is set up.

[ThomasHabets]

Yeah, sounds like it.

You could have whatever the non-root user is own all the secret files. Could work.

[harald25]

Did you try the secret= option to the secrets somewhere outside of /home, just in case there's some security thing preventing /home files?

I did try this, and concluded it also didn't work. But I did sloppy work it seems.
I've created a new folder under root (/googlemfa) and placed user directories with secret files there, and google_authenticator_libpam is able to read them now. I'd still like to understand why I'm getting permission problems in the home folder.

[brandonk10]

This is probably caused by your OpenVPN systemd unit having a protecthome option set. This is very difficult to debug.

[il-mix]

This is probably caused by your OpenVPN systemd unit having a protecthome option set. This is very difficult to debug.

Just to say that I had the exact same problem after upgrading OpenVPN on an Ubuntu Server, and your hint helped me fixing the issue.
My systemd unit (/lib/systemd/system/openvpn-server@.service in my case) was upgraded with the option
ProtectHome=true
I've edited it to
ProtectHome=false
then reloaded demon
systemctl daemon-reload
and restarted OpenVPN
systemctl restart openvpn-server@server.service
Now the problem is gone.