From 5ca92a2c5ee84b46b137645d6c8e376aed4c70e1 Mon Sep 17 00:00:00 2001
From: Fabio Napoleoni <f.napoleoni@gmail.com>
Date: Sat, 6 Feb 2016 21:20:34 +0100
Subject: [PATCH] Fixed configuration for pam module to allow login of non
 existing user accounts, i.e. VPN only users.

---
 otp/openvpn | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/otp/openvpn b/otp/openvpn
index 754fd99..aa8cd0a 100644
--- a/otp/openvpn
+++ b/otp/openvpn
@@ -1,2 +1,4 @@
 # Uses google authenticator library as PAM module using a single folder for all users tokens
-auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator
\ No newline at end of file
+# User root is required to stick with an hardcoded user when trying to determine user id and allow unexisting system users
+# See https://github.com/google/google-authenticator/tree/master/libpam#secretpathtosecretfile--usersome-user
+auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root
\ No newline at end of file