Opened 8 years ago
Closed 7 years ago
#697 closed Bug / Defect (notabug)
openvpn client asks for password even though auth-user-pass present
Reported by: | Marcin Koziej | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.11 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | password, rsa, client |
Cc: | Selva Nair |
Description
I have two debian clients which connect to openvpn: on version 2.3.11 openvpn insists on asking for password, even though auth-user-pass config option is present. The other debian client with identical config file but version 2.3.4 is working properly.
openvpn config:
client
proto tcp
remote 188.165.200.100 1194
nobind
dev tun
comp-lzo
verb 4
persist-key
persist-tun
ca ca.crt
cert Serwer.Karawela.crt
key Serwer.Karawela.key
tls-auth ta.key 1
auth-user-pass karawela.txt
The 2.3.11 client does recognise password file present and having proper permissions.
In both cases the password file contains only password [it's a password to Serwer.Karawela.key file]. There is no other username to provide
The openvpn server version:
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>
$ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route
both clients have enable_password_save=yes
Change History (4)
comment:1 Changed 8 years ago by
comment:2 follow-up: 3 Changed 8 years ago by
Cc: | Selva Nair added |
---|
Oh. Am I reading this right, you're not using --auth-user-pass for username and password to authenticate to the remote site, but to store the *passphrase* for the secret key?
We might have broken that when reworking --auth-user-pass to fix a few other nasties, and add a few user wishes (like "having only the username in there, enter only the password").
Selva, does this sound reasonable?
comment:3 Changed 8 years ago by
Replying to cron2:
Oh. Am I reading this right, you're not using --auth-user-pass for username and password to authenticate to the remote site, but to store the *passphrase* for the secret key?
We might have broken that when reworking --auth-user-pass to fix a few other nasties, and add a few user wishes (like "having only the username in there, enter only the password").
Selva, does this sound reasonable?
If this is certificate password, it should be supplied using "--askpass filename", not "--auth-user-pass filename". The latter is used for username/password authentication and requires username on the first line of the file followed by password on the second line. For 2.3.11, password on second line is optional, so a single line will be interpreted as username and cause password to be prompted for from console.
comment:4 Changed 7 years ago by
Resolution: | → notabug |
---|---|
Status: | new → closed |
Closing this.
We might have broken the formerly-working config, but that just worked by accident - as Selva said, the right config argument to point to a passphrase is --askpass filename
,
When we change code, we will do great care to not fix what is documented to work, but we're not going to keep implementation quirks alive forever.
So -> solution provided, please adjust your config. If that still doesn't work, please reopen.
Log file?