Re: [eurephia-users] Could not register sessionkey
Brought to you by:
dazo
Menu
▾
▴
Re: [eurephia-users] Could not register sessionkey
|
From: David S. <da...@us...> - 2013-01-14 16:26:53
|
On 13/01/13 17:16, ap...@gm... wrote:
> Hi
>
> Thanks it works now I use user nobody and group nobody. I did
>
> chown nobody:nobody /var/lib/eurephia
> chmod 775 /var/lib/eurephia
> chown nobody:nobody /var/chroot/openvpn/var/lib/eurephia
> chmod 775 /var/chroot/openvpn/var/lib/eurephia
>
> I also created
> mkdir -p /var/chroot/openvpn/tmp
> chmod 775 /var/chroot/openvpn/tmp
>
> And now windows clients with Openvpn windows GUI can connect and it works
> great for them, I yust add
> auth-user-pass in users config.
Great to hear! Your modificatoins makes sense too, so this looks correct.
> But I have faced another problem. Linux VPN server which is configured as
> client can't autenticate with Openvpn Server becouse Eurephia is enabled.
> I have to disable Eurephia temporarily to make things working again.
>
> How to provide username and password to Eurephia for the VPN server which
> connects automaticly at boot?
> Can I put them (pass/username) into the client.config ?
Yes, this is possible, just a little bit different from what you are guessing. If you check the man page for openvpn ('man openvpn' on the command line) and search for '--auth-user-pass' (type '/--auth-user-pass' without quotes, use the [n] key to go to next) ... then you'll find this paragraph:
--------------------------------------------------------------------------
--auth-user-pass [up]
Authenticate with server using username/password. up is a file
containing username/password on 2 lines (Note: OpenVPN will only
read passwords from a file if it has been built with the
--enable-password-save configure option, or on Windows by defin-
ing ENABLE_PASSWORD_SAVE in win/settings.in).
If up is omitted, username/password will be prompted from the
console.
--------------------------------------------------------------------------
So that's all which is needed in your client configuration.
--
kind regards,
David Sommerseth
> -----Izvorno sporočilo-----
> From: David Sommerseth
> Sent: Wednesday, January 09, 2013 8:19 PM
> To: ap...@gm...
> Cc: eur...@li...
> Subject: Re: Could not register sessionkey
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/01/13 15:32, ap...@gm... wrote:
>> Hi
>>
>> My problem is how to set proper permision ant to which user ? Shall
>> I use user openvpn ? and set perimisions to openvpn to write in
>> chroted directory ?
>>
>> Openvpn is chrooted in /var/chroot/openvpn
>
> Okay, so now you switched to chroot? You said in your earlier mail
> that you didn't use chroot. So please make up your mind here.
>
>> Eupheria database is located in cd /var/lib/eurephia/
>
> *IF* you are also using chroot, you need to have this directory as well:
>
> /var/chroot/openvpn/var/lib/eurephia
>
> Then ensure that this directory *and* /var/lib/eurephia is owned by
> the user OpenVPN is running as. If you are using 'user openvpn' or
> 'group openvpn' in your configuration file, or see that these have
> been added to the command line (ps faxuww) ... then this command line
> will do the magic:
>
> # chown openvpn:openvpn /var/lib/eurephia
> # chmod 775 /var/lib/eurephia
> # chown openvpn:openvpn /var/chroot/openvpn/var/lib/eurephia
> # chmod 775 /var/chroot/openvpn/var/lib/eurephia
>
> The first two lines gives the openvpn user and group read/write access
> to /var/lib/eurephia. The next two lines does the same, but to the
> chrooted directory.
>
>> Here is log from openvpn.log
>>
>> 2013-01-09 14:58:30 CET] -- INFO -- [1] Found certid 1 for
>> user: nnnnnn/nnnnnn_CA/info@nnnnnn.nn Wed Jan 9 13:58:30 2013
>> xxx.xxx.xxx.x:xxxxx PLUGIN_CALL: POST
>> /usr/lib64/openvpn/eurephia-auth.so/PLUGIN_TLS_VERIFY status=0 Wed
>> Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY PLUGIN OK:
>> depth=1,
>> /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/xxxxxxxxxxxx=xxxx@xxxxxx.xx
>>
>>
> Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx CRL CHECK OK:
>> /C=SI/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/emailAddress=xxxx@xxxxxx.xx
>>
>>
> Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY OK: depth=1,
>> /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/emailAddress=xxxx@xxxxxx.xx
>>
>>
> [2013-01-09 13:58:30 UTC] -- INFO -- [0] Found certid 2 for user:
>> xxxxxx/xxxxxx1/xxxx@xxxxxx.xx Wed Jan 9 13:58:30 2013
>> xxx.xx.xxx.xx:xxxxx PLUGIN_CALL: POST
>> /usr/lib64/openvpn/eurephia-auth.so/PLUGIN_TLS_VERIFY status=0 Wed
>> Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY PLUGIN OK:
>> depth=0,
>> /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx1/emailAddress=xxxx@xxxxxx.xx
>> VERIFY OK: depth=0,
>> /C=XX/L=XXXXX/O=YYY/CN=yyyyy/emailAddress=ab@yyyy.yy
>
> All these lines looks very good and promising!
>
>> Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx Could not create
>> temporary file
>> '/tmp/openvpn_acf_3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.tmp':
>> Permission denied
>
> You probably need to create /var/chroot/openvpn/tmp ... and make sure
> openvpn have full read/write access to that new tmp directory as well.
> I presume here that you *do* use chroot.
>
>
> kind regards,
>
> David Sommerseth
>
>
>
>> -----Izvorno sporočilo----- From: David Sommerseth Sent: Wednesday,
>> January 09, 2013 1:08 PM To: ap...@gm... Cc:
>> eur...@li... Subject: Re: Could not
>> register sessionkey
>>
>> On 05/01/13 17:00, ap...@gm... wrote:
>>> Hi
>>
>>> I am not using chroot.
>>
>>> Regarding the problem about write permision I don't know to
>>> which user set write permision to. OpenVPN drops root privileges
>>> after initialization with command user nobody. I have database
>>> in /var/lib/eurephia.
>>
>>> Can you plese advise how to go further and correctly set write
>>> permisions
>>
>> Please ensure that the /var/lib/eurephia directory is writeable
>> for the user OpenVPN is running as. The database file must also
>> be writeable for the OpenVPN user as well. So make sure that the
>> ownership of both the directory and the database file are set
>> accordingly.
>>
>> Also be sure that you have copied the eurephiadb-template to
>> eurephiadb and have run the eurehpia_init program against this
>> database. If you are able to use eurephiadm successfully, that's
>> a good start. F.ex. if you can run this command:
>>
>> $ eurephiadm users -l
>>
>> If you cannot do that, then you need to initialise your
>> installation using the eurephia_init program. This should all be
>> pretty well explained in the documentation.
>>
>>
>> kind regards,
>>
>> David Sommerseth
>>
>>
>>> -----Izvorno sporočilo----- From: David Sommerseth Sent:
>>> Wednesday, January 02, 2013 11:24 AM To: ap...@gm... Cc:
>>> eur...@li... Subject: Re:
>>> [eurephia-users] Please help, error: Could not register
>>> sessionkey
>>
>>> On 30/12/12 19:26, ap...@gm... wrote:
>>>> Hi
>>
>>>> I have instaled eurephia and have a problem with registering
>>>> user.
>>
>>>> Openvpn is working and users can connect if I disable plugin
>>>> in openvpn.config.
>>
>>>> With plugin enabled I get an error in openvpn log:
>>
>>>> [2012-12-30 18:24:30 CET] ** - FATAL - ** [0]
>>>> eDBregister_sessionkey: Error registering sessionkey into
>>>> openvpn_sessionkeys ** - FATAL - ** [0] Could not register
>>>> sessionkey [2012-12-30 18:24:30 CET] ** ERROR ** [0]
>>>> Could not update last access status for uid 2 [2012-12-30
>>>> 18:24:30 CET] ** WARNING ** [0] Failed to cache password for
>>>> user 'user' [2012-12-30 18:24:30 CET] -- INFO -- [0] User
>>>> 'user' authenticated
>>
>>>> I could not find anything on internet what could help to solve
>>>> the error.
>>
>>
>>> Hi Toni,
>>
>>> Please read the following section carefully, especially the
>>> yellow/orange block.
>>
>>> <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/chap-Administrators_Manual-ConfigOVPN_Chapter.html#id810951>
>>
>>>
>>
>>
>>
>>
>>> I don't know if you use chroot or not. But it might be that
>>> even though you don't use chroot, that openvpn/eurephia doesn't
>>> have the proper access to create the .jnl file as well. So
>>> please ensure openvpn/eurephia is allowed to create temporary
>>> files the directory where the database file resides.
>>
>>> Please keep us updated if this helped, and I'll make sure to
>>> update the documentation as well.
>>
>>
>>> kind regards,
>>
>>> David Sommerseth
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAlDtwtUACgkQDC186MBRfrpOiQCeLtArPjkSW9MhrrMus2rrAJIH
> 15gAnisHEwgvtvo7P89LxFOTaUUad7fE
> =Jo6/
> -----END PGP SIGNATURE-----
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_123012
> _______________________________________________
> eurephia-users mailing list - http://www.eurephia.net/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
|