Security

Issues with Openvpn-2.5.2 and cracklib/startup

I wanted to do this quick post for reference down the road. I recently updated OpenVPN to 2.5.2 and had issues with start up and also had issues with warnings related to cracklib.

The first issue was starting. It was failing on the following:

Jun 28 08:33:05 comp openvpn[30689]: tls_auth_file = 'ta.key'
Jun 28 08:33:32 comp openvpn[30692]: Read error on key file ('ta.key')

Looking at the ownership/permissions of the ta.key, I saw the following:

-rw------- 1 root root 636 Nov 2 2020 ta.key

I changed that to:

-rw------- 1 openvpn openvpn 636 Nov 2 2016 ta.key

Then the service would start. But I noticed this warning.

Jun 28 08:42:16 comp openvpn[31175]: PAM unable to dlopen(/lib/security/pam_cracklib.so): /lib/security/pam_cracklib.so: cannot open shared object file: No such file or directory
Jun 28 08:42:16 comp openvpn[31175]: PAM adding faulty module: /lib/security/pam_cracklib.so

After some digging I see that pam replaced cracklib with passwdqc, so I make the following change to /etc/pam.d/ovpn

#password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
password required pam_passwdqc.so config=/etc/security/passwdqc.conf

Everything seems fine now.