Opened 9 years ago
Closed 9 years ago
#630 closed Bug / Defect (fixed)
auth-user-pass broken when using systemd
Reported by: | gcau | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.8 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
Since 2.3.8 auth-user-pass fails to get stdin for username/password when started via systemd.
Error log:
neither stdin nor stderr are a tty device, can't ask for Auth password. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.
Setting --askpass does not work either (there is no client cert), and --auth-nocache is not used.
Reverting to 2.3.7 fix the issue.
systemd service file:
[Unit] Description=OpenVPN tunnel for %I After=syslog.target network-online.target Wants=network-online.target Documentation=man:openvpn(8) Documentation=https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage Documentation=https://community.openvpn.net/openvpn/wiki/HOWTO [Service] PrivateTmp=true Type=forking PIDFile=/var/run/openvpn/client_%i.pid ExecStart=/usr/sbin/openvpn --cd /etc/openvpn/client --config %i.conf --daemon --writepid /var/run/openvpn/client_%i.pid CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH LimitNPROC=10 DeviceAllow=/dev/null rw DeviceAllow=/dev/net/tun rw [Install] WantedBy=multi-user.target
Attachments (1)
Change History (6)
comment:1 Changed 9 years ago by
comment:2 Changed 9 years ago by
I need to revisit this... still on my plate, but there was so much going on recently that I could not find time yet.
Changed 9 years ago by
Attachment: | 0001-Fix-isatty-check-for-good.patch added |
---|
0001-Fix-isatty-check-for-good.patch
comment:3 Changed 9 years ago by
I think the patch I have attached should fix all issues - as in: I've tested all cases that I can reproduce here (no systemd, but auth-user-pass and passphrase-protected keys), and I understand why I broke systemd - the "do we have systemd?" branch happens right inside get_console_input() which I did not want to touch initially.
Could you please test this? Patch is against master, but should apply just as is to 2.3.8 or release/2.3 branch.
If this works, it will be part of 2.3.9 which will be shipped in the next few days.
comment:5 Changed 9 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Thanks for testing. Selva ACKed on the mailing list as well, so here we go...
commit 015fe7177181fb4944ddf33debcfcd20c62ba55a (master)
commit db55abd9e28546874edd78fa50df594a78e794b9 (release/2.3)
Author: Gert Doering
Date: Wed Dec 9 21:03:55 2015 +0100
Fix isatty() check for good.
Signed-off-by: Gert Doering <gert@…>
Acked-by: Selva Nair <selva.nair@…>
Message-Id: <1449691435-5928-1-git-send-email-gert@…>
(see also #618, just for reference)
Can you please try to build git master and see if our changes there have improved things for you?