openvpn client asks for password even though auth-user-pass present

[Marcin Koziej]

I have two debian clients which connect to openvpn: on version 2.3.11 openvpn insists on asking for password, even though auth-user-pass config option is present. The other debian client with identical config file but version 2.3.4 is working properly.

openvpn config:

client
proto tcp
remote 188.165.200.100 1194
nobind
dev tun
comp-lzo
verb 4
persist-key
persist-tun

ca ca.crt
cert Serwer.Karawela.crt
key Serwer.Karawela.key
tls-auth ta.key 1
auth-user-pass karawela.txt

The 2.3.11 client does recognise password file present and having proper permissions.

In both cases the password file contains only password [it's a password to Serwer.Karawela.key file]. There is no other username to provide

The openvpn server version:
OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec 1 2014
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@…>

$ ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now --enable-password-save --host=x86_64-linux-gnu --build=x86_64-linux-gnu --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route

both clients have enable_password_save=yes

[Gert Döring]

Log file?

[Gert Döring]

Oh. Am I reading this right, you're not using --auth-user-pass for username and password to authenticate to the remote site, but to store the *passphrase* for the secret key?

We might have broken that when reworking --auth-user-pass to fix a few other nasties, and add a few user wishes (like "having only the username in there, enter only the password").

Selva, does this sound reasonable?

[Selva Nair]

Replying to cron2:

Oh. Am I reading this right, you're not using --auth-user-pass for username and password to authenticate to the remote site, but to store the *passphrase* for the secret key?

We might have broken that when reworking --auth-user-pass to fix a few other nasties, and add a few user wishes (like "having only the username in there, enter only the password").

Selva, does this sound reasonable?

If this is certificate password, it should be supplied using "--askpass filename", not "--auth-user-pass filename". The latter is used for username/password authentication and requires username on the first line of the file followed by password on the second line. For 2.3.11, password on second line is optional, so a single line will be interpreted as username and cause password to be prompted for from console.

[Gert Döring]

Closing this.

We might have broken the formerly-working config, but that just worked by accident - as Selva said, the right config argument to point to a passphrase is --askpass filename ,

When we change code, we will do great care to not fix what is documented to work, but we're not going to keep implementation quirks alive forever.

So -> solution provided, please adjust your config. If that still doesn't work, please reopen.