Re: [eurephia-users] Could not register sessionkey
Brought to you by:
dazo
From: David S. <da...@us...> - 2013-01-14 16:26:53
|
On 13/01/13 17:16, ap...@gm... wrote: > Hi > > Thanks it works now I use user nobody and group nobody. I did > > chown nobody:nobody /var/lib/eurephia > chmod 775 /var/lib/eurephia > chown nobody:nobody /var/chroot/openvpn/var/lib/eurephia > chmod 775 /var/chroot/openvpn/var/lib/eurephia > > I also created > mkdir -p /var/chroot/openvpn/tmp > chmod 775 /var/chroot/openvpn/tmp > > And now windows clients with Openvpn windows GUI can connect and it works > great for them, I yust add > auth-user-pass in users config. Great to hear! Your modificatoins makes sense too, so this looks correct. > But I have faced another problem. Linux VPN server which is configured as > client can't autenticate with Openvpn Server becouse Eurephia is enabled. > I have to disable Eurephia temporarily to make things working again. > > How to provide username and password to Eurephia for the VPN server which > connects automaticly at boot? > Can I put them (pass/username) into the client.config ? Yes, this is possible, just a little bit different from what you are guessing. If you check the man page for openvpn ('man openvpn' on the command line) and search for '--auth-user-pass' (type '/--auth-user-pass' without quotes, use the [n] key to go to next) ... then you'll find this paragraph: -------------------------------------------------------------------------- --auth-user-pass [up] Authenticate with server using username/password. up is a file containing username/password on 2 lines (Note: OpenVPN will only read passwords from a file if it has been built with the --enable-password-save configure option, or on Windows by defin- ing ENABLE_PASSWORD_SAVE in win/settings.in). If up is omitted, username/password will be prompted from the console. -------------------------------------------------------------------------- So that's all which is needed in your client configuration. -- kind regards, David Sommerseth > -----Izvorno sporočilo----- > From: David Sommerseth > Sent: Wednesday, January 09, 2013 8:19 PM > To: ap...@gm... > Cc: eur...@li... > Subject: Re: Could not register sessionkey > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 09/01/13 15:32, ap...@gm... wrote: >> Hi >> >> My problem is how to set proper permision ant to which user ? Shall >> I use user openvpn ? and set perimisions to openvpn to write in >> chroted directory ? >> >> Openvpn is chrooted in /var/chroot/openvpn > > Okay, so now you switched to chroot? You said in your earlier mail > that you didn't use chroot. So please make up your mind here. > >> Eupheria database is located in cd /var/lib/eurephia/ > > *IF* you are also using chroot, you need to have this directory as well: > > /var/chroot/openvpn/var/lib/eurephia > > Then ensure that this directory *and* /var/lib/eurephia is owned by > the user OpenVPN is running as. If you are using 'user openvpn' or > 'group openvpn' in your configuration file, or see that these have > been added to the command line (ps faxuww) ... then this command line > will do the magic: > > # chown openvpn:openvpn /var/lib/eurephia > # chmod 775 /var/lib/eurephia > # chown openvpn:openvpn /var/chroot/openvpn/var/lib/eurephia > # chmod 775 /var/chroot/openvpn/var/lib/eurephia > > The first two lines gives the openvpn user and group read/write access > to /var/lib/eurephia. The next two lines does the same, but to the > chrooted directory. > >> Here is log from openvpn.log >> >> 2013-01-09 14:58:30 CET] -- INFO -- [1] Found certid 1 for >> user: nnnnnn/nnnnnn_CA/info@nnnnnn.nn Wed Jan 9 13:58:30 2013 >> xxx.xxx.xxx.x:xxxxx PLUGIN_CALL: POST >> /usr/lib64/openvpn/eurephia-auth.so/PLUGIN_TLS_VERIFY status=0 Wed >> Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY PLUGIN OK: >> depth=1, >> /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/xxxxxxxxxxxx=xxxx@xxxxxx.xx >> >> > Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx CRL CHECK OK: >> /C=SI/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/emailAddress=xxxx@xxxxxx.xx >> >> > Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY OK: depth=1, >> /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx_CA/emailAddress=xxxx@xxxxxx.xx >> >> > [2013-01-09 13:58:30 UTC] -- INFO -- [0] Found certid 2 for user: >> xxxxxx/xxxxxx1/xxxx@xxxxxx.xx Wed Jan 9 13:58:30 2013 >> xxx.xx.xxx.xx:xxxxx PLUGIN_CALL: POST >> /usr/lib64/openvpn/eurephia-auth.so/PLUGIN_TLS_VERIFY status=0 Wed >> Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx VERIFY PLUGIN OK: >> depth=0, >> /C=xx/L=xxxxxxxxx/O=xxxxxx/CN=xxxxxx1/emailAddress=xxxx@xxxxxx.xx >> VERIFY OK: depth=0, >> /C=XX/L=XXXXX/O=YYY/CN=yyyyy/emailAddress=ab@yyyy.yy > > All these lines looks very good and promising! > >> Wed Jan 9 13:58:30 2013 xxx.xx.xxx.xx:xxxxx Could not create >> temporary file >> '/tmp/openvpn_acf_3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.tmp': >> Permission denied > > You probably need to create /var/chroot/openvpn/tmp ... and make sure > openvpn have full read/write access to that new tmp directory as well. > I presume here that you *do* use chroot. > > > kind regards, > > David Sommerseth > > > >> -----Izvorno sporočilo----- From: David Sommerseth Sent: Wednesday, >> January 09, 2013 1:08 PM To: ap...@gm... Cc: >> eur...@li... Subject: Re: Could not >> register sessionkey >> >> On 05/01/13 17:00, ap...@gm... wrote: >>> Hi >> >>> I am not using chroot. >> >>> Regarding the problem about write permision I don't know to >>> which user set write permision to. OpenVPN drops root privileges >>> after initialization with command user nobody. I have database >>> in /var/lib/eurephia. >> >>> Can you plese advise how to go further and correctly set write >>> permisions >> >> Please ensure that the /var/lib/eurephia directory is writeable >> for the user OpenVPN is running as. The database file must also >> be writeable for the OpenVPN user as well. So make sure that the >> ownership of both the directory and the database file are set >> accordingly. >> >> Also be sure that you have copied the eurephiadb-template to >> eurephiadb and have run the eurehpia_init program against this >> database. If you are able to use eurephiadm successfully, that's >> a good start. F.ex. if you can run this command: >> >> $ eurephiadm users -l >> >> If you cannot do that, then you need to initialise your >> installation using the eurephia_init program. This should all be >> pretty well explained in the documentation. >> >> >> kind regards, >> >> David Sommerseth >> >> >>> -----Izvorno sporočilo----- From: David Sommerseth Sent: >>> Wednesday, January 02, 2013 11:24 AM To: ap...@gm... Cc: >>> eur...@li... Subject: Re: >>> [eurephia-users] Please help, error: Could not register >>> sessionkey >> >>> On 30/12/12 19:26, ap...@gm... wrote: >>>> Hi >> >>>> I have instaled eurephia and have a problem with registering >>>> user. >> >>>> Openvpn is working and users can connect if I disable plugin >>>> in openvpn.config. >> >>>> With plugin enabled I get an error in openvpn log: >> >>>> [2012-12-30 18:24:30 CET] ** - FATAL - ** [0] >>>> eDBregister_sessionkey: Error registering sessionkey into >>>> openvpn_sessionkeys ** - FATAL - ** [0] Could not register >>>> sessionkey [2012-12-30 18:24:30 CET] ** ERROR ** [0] >>>> Could not update last access status for uid 2 [2012-12-30 >>>> 18:24:30 CET] ** WARNING ** [0] Failed to cache password for >>>> user 'user' [2012-12-30 18:24:30 CET] -- INFO -- [0] User >>>> 'user' authenticated >> >>>> I could not find anything on internet what could help to solve >>>> the error. >> >> >>> Hi Toni, >> >>> Please read the following section carefully, especially the >>> yellow/orange block. >> >>> <http://www.eurephia.net/documentation/eurephia/1.1/html/Administrators_Tutorial_and_Manual/chap-Administrators_Manual-ConfigOVPN_Chapter.html#id810951> >> >>> >> >> >> >> >>> I don't know if you use chroot or not. But it might be that >>> even though you don't use chroot, that openvpn/eurephia doesn't >>> have the proper access to create the .jnl file as well. So >>> please ensure openvpn/eurephia is allowed to create temporary >>> files the directory where the database file resides. >> >>> Please keep us updated if this helped, and I'll make sure to >>> update the documentation as well. >> >> >>> kind regards, >> >>> David Sommerseth > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAlDtwtUACgkQDC186MBRfrpOiQCeLtArPjkSW9MhrrMus2rrAJIH > 15gAnisHEwgvtvo7P89LxFOTaUUad7fE > =Jo6/ > -----END PGP SIGNATURE----- > > > ------------------------------------------------------------------------------ > Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS, > MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current > with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft > MVPs and experts. ON SALE this month only -- learn more at: > http://p.sf.net/sfu/learnmore_123012 > _______________________________________________ > eurephia-users mailing list - http://www.eurephia.net/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 262 bytes Desc: OpenPGP digital signature |