Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 554908

Summary: >=net-misc/openvpn-2.3.7: passphrase for key is not requested
Product: Gentoo Linux Reporter: Marcel Pennewiß <gentoo>
Component: Current packagesAssignee: Dirkjan Ochtman <djc>
Status: RESOLVED TEST-REQUEST    
Severity: normal CC: denny.reeh, gentoo-user
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 556874    

Description Marcel Pennewiß 2015-07-14 18:36:05 UTC
openvpn from version 2.3.7 did not ask for the passphrase which is required for the key if started by init-script (openrc).

Reproducible: Always

Steps to Reproduce:
1. Update openvpn from 2.3.6 to 2.3.7
2. Use vpn-config with key which requires passphrase



Actual Results:  
See openvpn starting via init-script:

* Starting openvpn.vpn1... [ ok ]
* WARNING: openvpn.vpn1 has started, but is inactive

openvpn[26264]: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
openvpn[26264]: Error: private key password verification failed
openvpn[26264]: Exiting due to fatal error


Expected Results:  
Passphrase-request and working VPN-client

OpenVPN seems to need "askpass" as option, but this did not work, while stdin is not available during init-sript:

openvpn[26561]: Options error: --askpass fails with 'stdin': No such file or directory
openvpn[26561]: Options error: Please correct these errors.

The patch in

https://community.openvpn.net/openvpn/ticket/248
http://thread.gmane.org/gmane.network.openvpn.devel/9918

did fix the stdin-error above, but did not allow to enter passphrase. Already tried to start openvpn with --daemon --askpass --config CONFIG-FILE results in the same issue.

Maybe also related:
http://sourceforge.net/p/openvpn/mailman/message/34294347/
Comment 1 Gert Doering 2015-07-19 13:14:24 UTC
Apologies, this is upstream breakage (specifically, --daemon with password-protected keys and/or --auth-user-pass is broken in 2.3.7).

To fix, you want these patches from git release/2.3 branch:

commit dda40aedfb87d77afcef52376cd3e4778ba0370b
Author: Gert Doering <gert@greenie.muc.de>

    Document --daemon changes and consequences (--askpass, --auth-nocache).

commit 4d093fff305a3054d88ae2c803665cf90d512c7e
Author: James Geboski <jgeboski@gmail.com>

    Fix --askpass not allowing for password input via stdin

commit b131c7b974d9d4d3f0a6ab3a81719af6f7ab2ad6
Author: Gert Doering <gert@greenie.muc.de>

    Produce a meaningful error message if --daemon gets in the way of asking for passwords.

commit 7bde2e1b19e66af22c26c90e1187a4365c9087fc
Author: Steffan Karger <steffan@karger.me>

    fix regression: query password before becoming daemon


*and* you need to run openvpn with the "--askpass" option - otherwise it won't know that it needs to ask for the pass phrase (more explanation is in the git commits).

Again, apologies for the breakage - we had to swap crypto init and daemon() to ensure we never fork after initializing openssl - because that breaks FreeBSD's cryptodev (and makes pkcs#11 more complicated), and there is no other way to fix it.  "Caught between a rock and a hard place".
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-07 14:06:07 UTC
looks like 2.3.8 is available with all the fixes now.
Comment 3 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-08 05:15:00 UTC
please test 2.3.8, just added to the tree (should have the fix)
Comment 4 Morton Pellung 2015-08-13 09:00:10 UTC
I upgraded from 2.3.6 to 2.3.7 and was not asked for password and got
openvpn[11087]: ERROR: could not read Auth username from stdin
openvpn[11087]: Exiting due to fatal error

Upgraded one version further to 2.3.8 -> works again

Please do not mark 2.3.7 as stable
Comment 5 Marcel Pennewiß 2015-08-13 09:44:19 UTC
openvpn-2.3.8 works as expected, but needs changing configfile (add askpass to config) if the key requires a passphrase. As openvpn fails if askpass is configured, but the key did not need any passphrase this could not be done "automatically" via init-script.

Maybe we should add a post-message/news about this.
Comment 6 Morton Pellung 2015-08-13 13:23:48 UTC
mh... I see my description was not precise enough:

/etc/init.d/openvpn.foobar start

2.3.6 and 2.3.8 ask for my credentials on console, meaning I type in user+pass
2.3.7 does not even try to ask for a username and silently fails, only log shows it got no username -- well, because it didn't even try and ask