Opened 5 years ago

Last modified 8 days ago

#956 new Bug / Defect

Management Interface does not query for PKCS#11 token password in daemon mode

Reported by: rluta Owned by:
Priority: major Milestone:
Component: Management Version: OpenVPN 2.4.4 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords:
Cc:

Description

When running with a pkcs hardware that requires a PIN code to unlock, Openvpn management interface fails to prompt for PIN Code and instead prompts only for Token Insertion.

Example config file:

client
remote myserver
dev tun
persist-tun
persist-key
verb 3
ca ca.crt
keepalive 10 60
cipher AES-256-CBC
comp-lzo
nobind
pkcs11-providers /usr/local/lib/libeTPkcs11.dylib
pkcs11-cert-private 1
pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/0256f233/ACE\x20eToken/XXXXXX'
pkcs11-pin-cache 3600
management 127.0.0.1 8888
management-hold
management-query-passwords

when run with command "openvpn --config config.ovpn" connecting to the management port yields the following dialog:

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
>HOLD:Waiting for hold release:0
hold release
SUCCESS: hold release succeeded
>PASSWORD:Need 'ACE eToken token' password
password 'ACE eToken token' MyPINCode
SUCCESS: 'ACE eToken token' password entered, but not yet verified
...

and completes connection successfully
but when run with command "openvpn --daemon --config config.ovpn", management dialog is:

>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info
>HOLD:Waiting for hold release:0
hold release
SUCCESS: hold release succeeded
>NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert ACE eToken token
needok 'token-insertion-request' ok
SUCCESS: 'token-insertion-request' needok-confirmation entered, but not yet verified
>NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert ACE eToken token
...

The daemon loops on needok since it can't read the token successfully without the PIN Code.

Change History (2)

comment:1 Changed 5 years ago by Selva Nair

Most likely its looping with "token-insertion-request" because the daemon is not able to see the token. Password prompt will not happen if there is no accessible token. Possibly some permissions issue when daemonized?

comment:2 Changed 8 days ago by Bjoern Voigt

This seems to be fixed in the meantime. In OpenVPN 2.5.8 it looks like this:

[... same configuration as in description, but without management-hold ...]
management 127.0.0.1 8888
# management-hold
management-query-passwords
openvpn --daemon --config config.ovpn
# netcat localhost 8888
>INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info
>PASSWORD:Need 'yubikey-cert token' password
password 'yubikey-cert token' 987654
SUCCESS: 'yubikey-cert token' password entered, but not yet verified
status
OpenVPN STATISTICS
Updated,2022-11-20 22:15:41
TUN/TAP read bytes,1479
TUN/TAP write bytes,2156
TCP/UDP read bytes,7691
TCP/UDP write bytes,5803
Auth read bytes,2156
pre-compress bytes,0
post-compress bytes,0
pre-decompress bytes,0
post-decompress bytes,0
END

I wonder about the message "password entered, but not yet verified". The authentication is still successful.

Note: See TracTickets for help on using tickets.