I'm running OpenVPN on a Centos 8 server and have it configured to use PAM authentication for users stored in an IPA server. The users are configured to require 2FA. Everything has been working as expected for several months. But recently our domain cert expired. After inserting the new cert into IPA, PAM authentication stopped working on the OpenVPN server.
Nothing in the logs pointed to anything conclusive so I assumed the IPA client running on the OpenVPN server may not be recognizing the new domain certs on the IPA server. So I uninstalled the IPA client on the OpenVPN server and then reinstalled it. Next I restarted the OpenVPN service, reconfigured sssd.conf and restarted sssd. I was now able to successfully authenticate as expected using a password + OTP token when initiating an OpenVPN connection.
But after rebooting the OpenVPN server, the PAM authentication is no longer requiring the 2FA token -- i.e. I can only initiate an OpenVPN connection with a password that does not include OTP token even though the user is configured to require 2FA. I repeated the same uninstall/reinstall steps and again password + 2FA token authentication worked as expected. But like before after reboot, the 2FA token authentication did not work.
After initially reinstalling the IPA ClientThe sssd log for sss_pam_preauth shows:
[pam] [pam_eval_prompting_config] (0x4000): Authentication types for user [test55@ipa.mydomain.biz] and service [su]: password two-factor
But after rebooting the sssd log for sss_pam_preauth shows:
[pam] [pam_eval_prompting_config] (0x4000): Authentication types for user [test55@ipa.mydomain.biz] and service [su]: password
The sssd and pam config files are the same before and after reboot.
I'm at a loss to understand this behavior.
In my haste to repair the OpenVPN server I overlooked the sssd cache. The account I was using for testing at one time was not configured for 2FA.
It appears after reinstalling the IPA Client, authentication looked to the IPA server for sss_pam_preauth where the user is configured for 2FA. But after reboot sss_pam_preauth looked to the sssd cache where the user was not configured for 2FA.
So following the reboot I cleared the user from the sssd cache using the command sss_cache -u user1. With my next test, sss_pam_preauth could no longer find the user in the sssd cache and therefore looked to the IPA server which responded with a requirement for password + 2FA token as expected. I then rebooted the OpenVPN server again and sss_pam_preauth looked to the sssd cache where the user is now configured for 2FA.
The OpenVPN server is now working as expected.