Summary: | >=net-misc/openvpn-2.3.7: passphrase for key is not requested | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Marcel Pennewiß <gentoo> |
Component: | Current packages | Assignee: | Dirkjan Ochtman (RETIRED) <djc> |
Status: | RESOLVED TEST-REQUEST | ||
Severity: | normal | CC: | denny.reeh, gentoo-user |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 556874 |
Description
Marcel Pennewiß
2015-07-14 18:36:05 UTC
Apologies, this is upstream breakage (specifically, --daemon with password-protected keys and/or --auth-user-pass is broken in 2.3.7). To fix, you want these patches from git release/2.3 branch: commit dda40aedfb87d77afcef52376cd3e4778ba0370b Author: Gert Doering <gert@greenie.muc.de> Document --daemon changes and consequences (--askpass, --auth-nocache). commit 4d093fff305a3054d88ae2c803665cf90d512c7e Author: James Geboski <jgeboski@gmail.com> Fix --askpass not allowing for password input via stdin commit b131c7b974d9d4d3f0a6ab3a81719af6f7ab2ad6 Author: Gert Doering <gert@greenie.muc.de> Produce a meaningful error message if --daemon gets in the way of asking for passwords. commit 7bde2e1b19e66af22c26c90e1187a4365c9087fc Author: Steffan Karger <steffan@karger.me> fix regression: query password before becoming daemon *and* you need to run openvpn with the "--askpass" option - otherwise it won't know that it needs to ask for the pass phrase (more explanation is in the git commits). Again, apologies for the breakage - we had to swap crypto init and daemon() to ensure we never fork after initializing openssl - because that breaks FreeBSD's cryptodev (and makes pkcs#11 more complicated), and there is no other way to fix it. "Caught between a rock and a hard place". looks like 2.3.8 is available with all the fixes now. please test 2.3.8, just added to the tree (should have the fix) I upgraded from 2.3.6 to 2.3.7 and was not asked for password and got openvpn[11087]: ERROR: could not read Auth username from stdin openvpn[11087]: Exiting due to fatal error Upgraded one version further to 2.3.8 -> works again Please do not mark 2.3.7 as stable openvpn-2.3.8 works as expected, but needs changing configfile (add askpass to config) if the key requires a passphrase. As openvpn fails if askpass is configured, but the key did not need any passphrase this could not be done "automatically" via init-script. Maybe we should add a post-message/news about this. mh... I see my description was not precise enough: /etc/init.d/openvpn.foobar start 2.3.6 and 2.3.8 ask for my credentials on console, meaning I type in user+pass 2.3.7 does not even try to ask for a username and silently fails, only log shows it got no username -- well, because it didn't even try and ask |