Opened 11 years ago

Closed 9 years ago

#248 closed Patch submission (fixed)

Fix --askpass not allowing for password input via stdin

Reported by: jgeboski Owned by:
Priority: major Milestone: release 2.3.8
Component: Generic / unclassified Version: OpenVPN git master branch (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: askpass


I was recently writing a small script to use to get my VPN session authenticated. I saw the --askpass option in the manual, which I intended to use with --daemon. However, I quickly ran into an error with the --askpass parameter.

# openvpn --config client.conf --askpass
Options error: --askpass fails with 'stdin': No such file or directory
Options error: Please correct these errors.
Use --help for more information.

This patch resolves --askpass treating stdin as a file during the file access check. In turn, this leads to openvpn failing to start if this option is set to stdin.

By default, --askpass reads the certificate's password from stdin rather than a file. Without passing the CHKACC_ACPTSTDIN flag to check_file_access(), stdin is marked as being a nonexistent file.


Attachments (1)

0001-Fix-askpass-not-allowing-for-password-input-via-stdi.patch (1.3 KB) - added by jgeboski 11 years ago.

Download all attachments as: .zip

Change History (3)

comment:1 Changed 10 years ago by Samuli Seppänen

Keywords: stdin removed
Milestone: release 2.4
Priority: minormajor

I can reproduce this on 2.3.2 too. The man-page says the following:

 --askpass [file]                                                              
              Get certificate password from console or file before we daemonize.

This works:

$ openvpn --config test.conf --askpass certificate_password.txt

While this does not:

$ openvpn --config test.conf --askpass

So this looks like a bug.

comment:2 Changed 9 years ago by Gert Döring

Milestone: release 2.4release 2.3.8
Resolution: fixed
Status: newclosed

It most definitely is a bug, but up to 2.3.7 "--askpass stdin" was sort of a not-really-needed corner case - with the --daemon change in 2.3.7 (and recent git master), we actually need this, so rediscovered this bug...

commit 4e1e3ba1d8582a1e95dd6f9564e97c99784959a7 (master)
commit 4d093fff305a3054d88ae2c803665cf90d512c7e (release/2.3)

Author: James Geboski
Date: Tue Jan 8 17:52:57 2013 -0500

Fix --askpass not allowing for password input via stdin

Signed-off-by: James Geboski <jgeboski@…>
Acked-by: Steffan Karger <steffan.karger@…>
Signed-off-by: Gert Doering <gert@…>
Message-Id: <55A41225.2020705@…>

will be in 2.3.8, to be released "soonish".

Note: See TracTickets for help on using tickets.