--auth-user-pass won't read from stdin

[Logological]

According to the man page, the --auth-user-pass option can be used to enter a username and password. It can take as its optional argument the name of a file containing the username and password on separate lines, or if the argument is omitted it is supposed to read these values from the console. The documented behaviour works when specifying the filename, but if I omit the argument and direct a file or a pipe to stdin, the client just hangs, and if I manually kill the process it outputs the error "Failed retrieving username or password".

For example, assume there exists a command pass foo which outputs a username and password on separate lines, and assume there is a configuration file foo.ovpn with the following contents:

client
dev tun
proto udp
remote vpn.example.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth SHA1
tls-client
remote-cert-tls server
comp-lzo
verb 1
reneg-sec 0
crl-verify crl.rsa.2048.pem
ca ca.rsa.2048.crt
disable-occ

Then either of the following two sets of commands, which pass the credentials on stdin, cause OpenVPN to hang:

pass foo | openvpn --config foo.ovpn --auth-user-pass

pass foo > foo_credentials.txt
openvpn --config foo.ovpn --auth-user-pass < foo_credentials.txt

However, the following set of commands, which first outputs the credentials to a file and then passes the filename as an argument, works as expected:

pass foo > foo_credentials.txt
openvpn --config foo.ovpn --auth-user-pass foo_credentials.txt

I am running the OpenVPN client on a 64-bit openSUSE Tumbleweed system:

$ openvpn --version
OpenVPN 2.4.9 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 16 2020
library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

I reported this issue on the forum some time ago at ​https://forums.openvpn.net/viewtopic.php?f=6&t=31076&sid=f225010d98d4d90899e57fd00869e5d5 but as I got no response I am assuming for the time being that this is a bug.

[Gert Döring]

"Read from console" really means this, "read from the glass terminal you are looking at and typing into", not "read from stdin".

We explicitly open /dev/tty to talk to the controlling tty, and error out if there is no tty.

This is how it is intended to be, so, not a bug.

Some trickery with named pipes might make this work, but generally, it will then fail later on if auth-nocache is active (because we want to immediately forget the password then, and re-read on TLS renegotiation).

[tct]

It may be possible to use the management interface in a similar way to how the Windows GUI does ? Total guess though ..

[Gert Döring]

It can be done, but is not trivially done from a script.

If the only purpose is "hand the password to OpenVPN without putting it into a file" writing a management interface driver is a bit heavy handed.