I am trying to use PAM to authenticate OpenVPN against 2FA (not important info). Here is my PAM configuration:
account required pam_permit.so
auth required pam_google_authenticator.so secret=/etc/openvpn/google-authenticator/${USER} user=root forward_pass nullok debug authtok_prompt=pin
I have an issue in the first line (or wherever I put it). Using the line as shown causes the PAM configuration to break for some reason I don't understand:
/var/log/auth.log:
: No such file or directoryrary /lib/security/pam_permit.so PAM unable to dlopen(/lib/security/pam_permit.so
2022-01-06 23:02:53 err openvpn(pam_google_authenticato[9]: PAM adding faulty module: /lib/security/pam_permit.so
However, adding ANYTHING at the end of that line (even a space or any dummy text) causes my PAM configuration to work perfectly! So in other words having this account required pam_permit.so
(notice the space at the end), or this account required pam_permit.so DUMMY
works!
I don't understand what is the reason. Could anyone help me to understand what is the issue here?
I am in a Docker container (alpine image).
One other strange behavior I observed: putting nullok
, or debug
flags at the end of the second line causes the configuration to become invalid, but putting them in the middle fixes the issue. What is going on? T
Well, it turned out that the issue for both strange behaviors was the CRLF characters.
As soon as I used LF everything started working as expected.