duosecurity / duo_openvpn Goto Github PK

compilation failed because it failed to find <sys/stat.h>

cc -DPREFIX='"/opt/duo"' -fPIC -c duo_openvpn.c
duo_openvpn.c:1:22: fatal error: sys/stat.h: No such file or directory
 #include <sys/stat.h>
                      ^
compilation terminated.
Makefile:14: recipe for target 'duo_openvpn.o' failed
make: *** [duo_openvpn.o] Error 1

Since around yesterday, I've been getting "Connection timed out" errors in my OpenVPN logs and I'm unable to log in to my VPN:

May 30 12:19:29 xxx ovpn-server[658]: xxx:42272 SENT CONTROL [xxx]: 'AUTH_FAILED' (status=1)
May 30 12:19:31 xxx duo_openvpn.py[26060]: Duo OpenVPN: [Errno 110] Connection timed out
May 30 12:19:31 xxx duo_openvpn.py[26060]: Duo OpenVPN: writing failure code to /tmp/openvpn_acf_2f692cc534aa66af16370ae71fc0cf0d.tmp
May 30 12:19:34 xxx ovpn-server[658]: xxx:42272 SIGTERM[soft,delayed-exit] received, client-instance exiting
May 30 12:20:36 xxx duo_openvpn.py[26069]: Duo OpenVPN: [Errno 110] Connection timed out
May 30 12:20:36 xxx duo_openvpn.py[26069]: Duo OpenVPN: writing failure code to /tmp/openvpn_acf_41c8e9805f5779bee1d25fd04a5db77c.tmp

Has anything changed which might have broken this?

Some functions do not exist in the Windows C library (such as setenv and fork), plugin should be updated to be cross-platform (and not just use mingw32)

See #7 for working code (tested on Windows Server 2012 R2, Ubuntu 14.04)

Commit 3b890e6 added a call to signal() to ignore SIG_CHLD. While this prevents zombie processes, it breaks external script launches in openvpn, such as with the --learn-address option. Specifically, it causes waitpid() at https://github.com/OpenVPN/openvpn/blob/master/src/openvpn/misc.c#L315 to return ECHILD, which then cascades into other failures such as not routing between endpoints because the internal routing was not added. See https://forums.openvpn.net/topic20888.html for my earlier discussion with a rather rude openvpn contributor...

I would suggest daemonizing the child process instead of ignoring SIG_CHLD. That way, init (or systemd in later distros) will clean it up upon exit.

It appears mox3 is no longer maintained. In order to run CI tests under python3.11, someone will need to port the tests over to a new framework that is more current and runs under python3.11.

In #44, version 3.11 had to be removed from the tested versions due to this incompatibility. Potential opportunity for a newbie to learn testing frameworks and make a worthwhile code contribution?

The copy of https_wrapper.py in this repo seems to suffer from duosecurity/duo_openvpn_as#3. It looks like it was fixed in duo_openvpn_as as well as duo_client_python but the documentation for openvpn point to this repo.

I found that compiling this on a 64bit SmartOS image works but when trying to start openvpn with this as a module I would yield the error:

PLUGIN_INIT: could not load plugin shared object /opt/duo/duo_openvpn.so: ld.so.1: openvpn: fatal: relocation error: file /opt/duo/duo_openvpn.so: symbol WIFEXITED: referenced symbol not found

This symbol can be found in /usr/include/sys/wait.h and adding an additional import statement to duo_openvpn.c fixed it.
#include <sys/wait.h>

I see that the main openvpn source includes <sys/wait.h> in multiple places
https://github.com/OpenVPN/openvpn/blob/4507bb6cd11799f72f1ede602315a60e03bb449c/src/plugins/auth-pam/auth-pam.c#L46

https://github.com/OpenVPN/openvpn/blob/2282b1be7968ef44accde705ccc64addab6d77ba/src/plugins/down-root/down-root.c#L40

Also, looks like this is the same issue addressed by #13

Hello,
I recently built and installed the duo_openvpn.so plugin on my openvpn server (version 2.4.6) and after installation/configuration of the plugin I am getting the following error on startup of openvpn:

openvpn[2547]: Options error: Unrecognized option or missing or extra parameter(s) in /tmp/openvpn/openvpn.conf:33: plugin (2.4.6)

This line (#33) in in the openvpn.conf that generated this error is as follows:
plugin /opt/duo/duo_openvpn.so ‘xxxxx yyyyyy zzzzzzzzz’

Note: I am using single quote to enclose the keys 'x y z'

This issue was supposedly fixed according to this submission by using the single quote:
#19

I have tried using double quotes and no-quotes but the error is the same after restarting the openvpn server. Because of this error, openvpn server fails to start and I have commented out loading of the duo plugin for now.

Is this a known/open issue with OpenVpn 2.4.6?

Thank you.
J

I'm running an OpenVPN server in an Alpine-based Docker image that includes the current Duo plugin. I've noticed that there's a zombie Python process for each auth request to the VPN server.

Here's the Dockerfile that's used to build the Docker image:

FROM alpine:3.4
MAINTAINER ....

RUN apk update && \
    apk add openvpn openvpn-dev gcc libc-dev curl make python

RUN cd /root && \
    curl -Lo /root/openvpn-duo.tar.gz https://github.com/duosecurity/duo_openvpn/tarball/master && \
    tar xf /root/openvpn-duo.tar.gz && \
    cd duosecurity-duo_openvpn-* && \
    make && make install

ENTRYPOINT ["/usr/sbin/openvpn"]

I run the container using a command similar to this: docker run -d --net=host -v $(pwd):/cfg alpenvpn --config /cfg/server.conf. We can authenticate using Duo just fine, but the Python processes don't go away until the container is restarted.

/opt/duo # ps -A -ostat,comm
STAT COMMAND
S    openvpn
Z    python
Z    python
S    sh
Z    python
Z    python
Z    python
R    ps

Hi,

I'm loading the openvpn-auth-ldap.so for user validation and then loading the duo plugin for 2FA. It works, except if a user is not on the allowed groups in LDAP the openvpn-auth-ldap.so will fail but will still trigger the push notification. Shouldn't the plugin have additional logic to prevent this?

PLUGIN_CALL: POST /usr/lib/openvpn/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/openvpn-auth-ldap.so
PLUGIN_CALL: POST /opt/duo/duo_openvpn.so/PLUGIN_AUTH_USER_PASS_VERIFY status=2

Whether -DUSE_PERL is true or false, it would be useful to define a single location for Duo scripts of all languages, so that the same "script directory" value can be used for both Perl and Python deployments.

This would likely require a new variable, DUO_SCRIPT_DIR, that when set (and DUO_SCRIPT_PATH unset), calculates the appropriate DUO_SCRIPT_PATH for either .py or .pl based on -DUSE_PERL.

After updating to OpenVPN 2.4.1 I see the following error after starting OpenVPN.

> systemctl status [email protected]
> ● [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
>    Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
>    Active: failed (Result: exit-code) since Wed 2017-05-03 23:15:35 EDT; 9s ago
>   Process: 3378 ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/ --config %i.conf (code=exited, status=1/FAILURE)
>  Main PID: 3378 (code=exited, status=1/FAILURE)
> 
> May 03 23:15:35 123456 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunn......
> May 03 23:15:35 123456 systemd[1]: [email protected]: main process exited, cod...URE
> May 03 23:15:35 123456 systemd[1]: Failed to start OpenVPN Robust And Highly Flexib...er.
> May 03 23:15:35 123456 systemd[1]: Unit [email protected] entered failed state.
> May 03 23:15:35 123456 systemd[1]: [email protected] failed.
> Hint: Some lines were ellipsized, use -l to show in full.

Looking at the openvpn.log I see the following

> Options error: Unrecognized option or missing or extra parameter(s) in server.conf:314: plugin (2.4.1)
> Use --help for more information.

So then I look at my server.conf line 314 and that is the duo plugin

plugin /opt/duo/duo_openvpn.so (Ikey,skey,api omitted)

So the man page does not really say anything changed, but I did update to the latest version of the openvpn plugin from here https://duo.com/docs/openvpn. That did not help. I also verified the ikey,skey,api were correct.

So as a test I just comment out this line

#plugin /opt/duo/duo_openvpn.so (ikey,skey,api omitted)

Bingo, it now works

systemctl status [email protected]
● [email protected] - OpenVPN Robust And Highly Flexible Tunneling Application On server
   Loaded: loaded (/usr/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2017-05-03 23:22:02 EDT; 2s ago
 Main PID: 3493 (openvpn)
   Status: "Initialization Sequence Completed"
   CGroup: /system.slice/system-openvpn.slice/[email protected]
           └─3493 /usr/sbin/openvpn --cd /etc/openvpn/ --config server.conf

May 03 23:22:02 123456 systemd[1]: Starting OpenVPN Robust And Highly Flexible Tunn......
May 03 23:22:02 123456 systemd[1]: Started OpenVPN Robust And Highly Flexible Tunne...er.
Hint: Some lines were ellipsized, use -l to show in full.

Any thoughts, ideas?

Unsurprisingly, the Makefile did not work for OpenBSD either.
I had to use gmake and change the Makefile around (as per what was done for FreeBSD) to get it to compile and install.
Also had to remove the she bang at the top of the python script, along with the "where ... exec" lines and just replace the shebang with default python install dir of #!/usr/local/bin/python3
After doing this all worked as planned!

Currently, the duo_openvpn.py plugin presumes that it has direct outbound 443/tcp access without proxies.

This is not always the case, so proxy support would be helpful.

While trying to compile the package on FreeBSD 9.3 I receive the following error:

$ make
"Makefile", line 4: Need an operator
"Makefile", line 7: Need an operator
"Makefile", line 9: Need an operator
"Makefile", line 23: Need an operator
"Makefile", line 25: Need an operator
"Makefile", line 27: Need an operator
make: fatal errors encountered -- cannot continue

I figured what a make vs gmake issue so I used gmake:

$ gmake
cc -DPREFIX='"/opt/duo"' -fPIC -c duo_openvpn.c
cc -fPIC -shared -Wl,-soname,duo_openvpn.so -o duo_openvpn.so duo_openvpn.o -lc

Success! However, gmake install fails:

$  sudo gmake install
mkdir -p /opt/duo
install -c duo_openvpn.so -m 755 /opt/duo
install: -m: No such file or directory
Makefile:20: recipe for target 'install' failed
gmake: *** [install] Error 71

make install fails as well. Is FreeBSD 9.x not supported?

When do we expect support for python3? Python 2 is about to be discontinued. We are in the process of upgrading our os and prefer to not support python2 to run this openvpn plugin. Is this on the roadmap?

Duo Team,

I've created a FreeBSD port/package of duo_openvpn. You can find details here: https://www.freshports.org/security/duo_openvpn/

FreeBSD users can install via ports via:
cd /usr/ports/security/duo_openvpn/ && make install clean

FreeBSD users can install via package via:
pkg install duo_openvpn

The port features the following configuration options:

• PYTHON: Use the duo_openvpn.py script
• PERL: Use the duo_openvpn.pl script [DEFAULT]
• USERNAME: Force the use of the username variable, instead of the default common_name.
• METHOD: Force the use of an authentication method, defaults to push, when enabled.

You should consider creating support for the USERNAME/METHOD overrides in the default code base, via defines, to allow for a better user experience.