Opened 4 years ago

Closed 4 years ago

#630 closed Bug / Defect (fixed)

auth-user-pass broken when using systemd

Reported by: gcau Owned by:
Priority: major Milestone:
Component: Generic / unclassified Version: OpenVPN 2.3.8 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

Since 2.3.8 auth-user-pass fails to get stdin for username/password when started via systemd.

Error log:

neither stdin nor stderr are a tty device, can't ask for Auth password. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.

Setting --askpass does not work either (there is no client cert), and --auth-nocache is not used.

Reverting to 2.3.7 fix the issue.

systemd service file:

[Unit]
Description=OpenVPN tunnel for %I
After=syslog.target network-online.target
Wants=network-online.target
Documentation=man:openvpn(8)
Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage
Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO

[Service]
PrivateTmp=true
Type=forking
PIDFile=/var/run/openvpn/client_%i.pid
ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/client --config %i.conf --daemon --writepid /var/run/openvpn/client_%i.pid
CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
LimitNPROC=10
DeviceAllow=/dev/null rw
DeviceAllow=/dev/net/tun rw

[Install]
WantedBy=multi-user.target

Attachments (1)

0001-Fix-isatty-check-for-good.patch (2.6 KB) - added by Gert Döring 4 years ago.
0001-Fix-isatty-check-for-good.patch

Download all attachments as: .zip

Change History (6)

comment:1 Changed 4 years ago by David Sommerseth

Can you please try to build git master and see if our changes there have improved things for you?

comment:2 Changed 4 years ago by Gert Döring

I need to revisit this... still on my plate, but there was so much going on recently that I could not find time yet.

Changed 4 years ago by Gert Döring

0001-Fix-isatty-check-for-good.patch

comment:3 Changed 4 years ago by Gert Döring

I think the patch I have attached should fix all issues - as in: I've tested all cases that I can reproduce here (no systemd, but auth-user-pass and passphrase-protected keys), and I understand why I broke systemd - the "do we have systemd?" branch happens right inside get_console_input() which I did not want to touch initially.

Could you please test this? Patch is against master, but should apply just as is to 2.3.8 or release/2.3 branch.

If this works, it will be part of 2.3.9 which will be shipped in the next few days.

comment:4 Changed 4 years ago by gcau

Looks to work fine for me against the 2.3.8 version.

Thanks a lot

comment:5 Changed 4 years ago by Gert Döring

Resolution: fixed
Status: newclosed

Thanks for testing. Selva ACKed on the mailing list as well, so here we go...

commit 015fe7177181fb4944ddf33debcfcd20c62ba55a (master)
commit db55abd9e28546874edd78fa50df594a78e794b9 (release/2.3)

Author: Gert Doering
Date: Wed Dec 9 21:03:55 2015 +0100

Fix isatty() check for good.

Signed-off-by: Gert Doering <gert@…>
Acked-by: Selva Nair <selva.nair@…>
Message-Id: <1449691435-5928-1-git-send-email-gert@…>

(see also #618, just for reference)

Note: See TracTickets for help on using tickets.