Opened 6 years ago
Last modified 17 months ago
#956 new Bug / Defect
Management Interface does not query for PKCS#11 token password in daemon mode
Reported by: | rluta | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Management | Version: | OpenVPN 2.4.4 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
When running with a pkcs hardware that requires a PIN code to unlock, Openvpn management interface fails to prompt for PIN Code and instead prompts only for Token Insertion.
Example config file:
client remote myserver dev tun persist-tun persist-key verb 3 ca ca.crt keepalive 10 60 cipher AES-256-CBC comp-lzo nobind pkcs11-providers /usr/local/lib/libeTPkcs11.dylib pkcs11-cert-private 1 pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/0256f233/ACE\x20eToken/XXXXXX' pkcs11-pin-cache 3600 management 127.0.0.1 8888 management-hold management-query-passwords
when run with command "openvpn --config config.ovpn" connecting to the management port yields the following dialog:
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info >HOLD:Waiting for hold release:0 hold release SUCCESS: hold release succeeded >PASSWORD:Need 'ACE eToken token' password password 'ACE eToken token' MyPINCode SUCCESS: 'ACE eToken token' password entered, but not yet verified ...
and completes connection successfully
but when run with command "openvpn --daemon --config config.ovpn", management dialog is:
>INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info >HOLD:Waiting for hold release:0 hold release SUCCESS: hold release succeeded >NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert ACE eToken token needok 'token-insertion-request' ok SUCCESS: 'token-insertion-request' needok-confirmation entered, but not yet verified >NEED-OK:Need 'token-insertion-request' confirmation MSG:Please insert ACE eToken token ...
The daemon loops on needok since it can't read the token successfully without the PIN Code.
Change History (2)
comment:1 Changed 6 years ago by
comment:2 Changed 17 months ago by
This seems to be fixed in the meantime. In OpenVPN 2.5.8 it looks like this:
[... same configuration as in description, but without management-hold ...] management 127.0.0.1 8888 # management-hold management-query-passwords
openvpn --daemon --config config.ovpn
# netcat localhost 8888 >INFO:OpenVPN Management Interface Version 3 -- type 'help' for more info >PASSWORD:Need 'yubikey-cert token' password password 'yubikey-cert token' 987654 SUCCESS: 'yubikey-cert token' password entered, but not yet verified status OpenVPN STATISTICS Updated,2022-11-20 22:15:41 TUN/TAP read bytes,1479 TUN/TAP write bytes,2156 TCP/UDP read bytes,7691 TCP/UDP write bytes,5803 Auth read bytes,2156 pre-compress bytes,0 post-compress bytes,0 pre-decompress bytes,0 post-decompress bytes,0 END
I wonder about the message "password entered, but not yet verified". The authentication is still successful.
Most likely its looping with "token-insertion-request" because the daemon is not able to see the token. Password prompt will not happen if there is no accessible token. Possibly some permissions issue when daemonized?