Opened 4 years ago

Closed 4 years ago

#576 closed Bug / Defect (fixed)

openvpn doesn't ask for username/password from stdin in daemon mode

Reported by: tvujec Owned by: Steffan Karger
Priority: major Milestone: release 2.3.8
Component: Generic / unclassified Version: OpenVPN 2.3.7 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Since somewhere between 2.3.2 and 2.3.7, "possibly_become_daemon" was moved before "init_instance" and "init_query_pass" is now only called after the openvpn gets daemonized. That is a regression and now it is not possible to provide initial username and password in daemon mode, which is needed when e.g. OTP is used.

Change History (9)

comment:1 Changed 4 years ago by Gert Döring

Milestone: release 2.3.8
Owner: set to Steffan Karger
Status: newassigned

comment:2 Changed 4 years ago by tvujec

I could potentially patch this, but I must admit that I don't know much about openvpn code, and sticking a call to "init_query_pass" somewhere before "possibly_become_daemon" might break some other things I am not aware of. Please let me know if a patch can be done quickly.

comment:3 Changed 4 years ago by Gert Döring

init_query_pass() might depend on yet something else, so it takes a bit of careful looking.

We knew that the --daemon change could have side effects (due to the fairly complicated and long list of things set up dependent on the options passed) - this one, we overlooked... sorry for that.

We'll patch "ASAP", but there is a "AP" = "as possible" in there, so we can't promise anything - OTOH if you come up with a patch that works for you, we can start with reviewing, instead of looking ourselves... :-)

comment:4 Changed 4 years ago by Steffan Karger

I could indeed reproduce the issue with --daemon + --auth-user-pass. I just sent the patch that resolves the issue for me to the list:
http://thread.gmane.org/gmane.network.openvpn.devel/9901

If you are in the opportunity to test, I would appreciate to hear if this resolves the issue for you too.

comment:5 Changed 4 years ago by Steffan Karger

I'm not sure if you were already doing this, but I forgot to mention that with the new patch you should add the --askpass option to make it work again.

comment:6 in reply to:  5 Changed 4 years ago by Gert Döring

Replying to syzzer:

I'm not sure if you were already doing this, but I forgot to mention that with the new patch you should add the --askpass option to make it work again.

*This* one hopefully should not need --askpass as --auth-user-pass already tells openvpn to ask... #574 certainly would, yes.

comment:7 in reply to:  4 Changed 4 years ago by tvujec

Replying to syzzer:

I could indeed reproduce the issue with --daemon + --auth-user-pass. I just sent the patch that resolves the issue for me to the list:
http://thread.gmane.org/gmane.network.openvpn.devel/9901

If you are in the opportunity to test, I would appreciate to hear if this resolves the issue for you too.

I was finally able to test, and I can confirm that it works without any apparent side-effects. I had to modify the patch a slight bit, as I used released 2.3.7 openvpn sources (manually building EPEL package).

comment:8 Changed 4 years ago by Steffan Karger

Component: OpenVPN ConnectGeneric / unclassified

Thanks for reporting back, and glad to hear this resolves the issue for you.

Last edited 4 years ago by Steffan Karger (previous) (diff)

comment:9 Changed 4 years ago by Gert Döring

Resolution: fixed
Status: assignedclosed

2.3.8 has been tagged in the git repo, and tarballs should show up on the download site tomorrow or so.

Note: See TracTickets for help on using tickets.