Running openvpn as non-root user breaks (pam) password authentication

Description:

This seems to be a regression of https://bugs.archlinux.org/task/69216
It was working until a week or so ago, before a pacman -Suy
Running the service as root results in no login issues

Additional info:

This triggers pam authentication errors on the server, eventually leading into account lockout via pam's faillock
logging in, ssh'ing, or otherwise su'ing the user with the same credentials works fine.
I uninstalled and cleared all the openvpn libs and confs, then pacman -S openvpn to reinstall to be mitigate any permission issue

  • package version(s):
    openvpn-2.6.8-1

  • config and/or log files:
    ---server.conf pam plugin line:
    plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so login

---client conf uses, txt file whose contents are correct, accessible, and unchanged
auth-user-pass myvpncreds.txt

---server openvpn-service@.service
...
[Service]
...
User=openvpn
Group=network

---server's journalctl:
...
Jan 26 20:44:26 x.net unix_chkpwd[16209]: check pass; user unknown
Jan 26 20:44:26 x.net unix_chkpwd[16210]: check pass; user unknown
Jan 26 20:44:26 x.net unix_chkpwd[16210]: password check failed for user (vpn)
Jan 26 20:44:26 x.net openvpn[15994]: pam_unix(login:auth): authentication failure; logname= uid=975 euid=975 tty= ruser= rhost=111.222.333.444 user=validusername
Jan 26 20:44:29 x.net openvpn[15994]: PLUGIN AUTH-PAM: BACKGROUND: user 'validusername' failed to authenticate: Authentication service cannot retrieve authentication info
Jan 26 20:44:29 x.net openvpn[15988]: 111.222.333.444:52365 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.>
Jan 26 20:44:29 ex.net openvpn[15988]: 111.222.333.444:52365 TLS Auth Error: Auth Username/Password verification failed for peer

Steps to reproduce:

  1. connect to to openvpn server as usual
  2. ???
  3. fail
Edited by Erik Johnson