Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 733614 - net-vpn/openconnect : files/ fails at handling arguments containing spaces in /etc/conf.d/openconnect
Summary: net-vpn/openconnect : files/ fails at handling argument...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: William Hubbs
Depends on:
Reported: 2020-07-23 00:52 UTC by phkb
Modified: 2021-10-02 17:20 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Patch that adds an authgroup option (openconnect-add-authgroup.patch,530 bytes, patch)
2020-09-23 12:05 UTC, phkb
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description phkb 2020-07-23 00:52:49 UTC
There is no way to have arguments containing spaces in the vpnopts variable in /etc/conf.d/openconnect. The variable is used unquoted in the init script, thus it is subject to word splitting.

Arguments with spaces may be necessary to connect to some networks, such as --authgroup with a group name containing spaces.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2020-07-30 10:46:42 UTC
Can't you instead embed escaped spaces in conf.d so they will only get interpreted/unescaped in init.d?
Comment 2 phkb 2020-07-30 22:22:58 UTC
I tried, to no avail. Escaping the space with a backslash won't work. If you have it working, could you provide an example?

Here is a minimal example:

$ t='test\ space'; printf '%s\n' $t

Because the variable is not quoted, the two parts are split despite the backslash.
Comment 3 phkb 2020-09-23 12:05:34 UTC
Created attachment 662110 [details, diff]
Patch that adds an authgroup option

Would a patch like this have a chance to get merged? It adds the authgroup argument if the authgroup_$VPN variable is set in conf.d/openconnect. This way it can have spaces and it'll be parsed as one argument thanks to the quotes.
Comment 4 Gabriel Marcano 2020-11-17 09:42:10 UTC
I'm having the same problems, and the patch works for my use case. I did not test to see if VPNs without a group continue to work.
Comment 5 Mike Gilbert gentoo-dev 2020-11-21 17:07:35 UTC
I do not use or really maintain the init script, and would prefer to drop it entirely.

Maybe William can take a look at this issue.
Comment 6 William Hubbs gentoo-dev 2020-11-23 00:03:09 UTC
It seems to me that a cleaner approach is going to be to have
openconnect configuration files in /etc/openconnect/<vpn>.conf which
control tunnel specific options. The service script will then use the
--config command line switch to openconnect.

This is cleaner because your tunnel configurations are no longer in
/etc/conf.d and can be used regardless of your init system.

Currently the service script and ebuild warn you to perform the
migration, but the plan is to ignore the old conf.d settings in the
Comment 7 Larry the Git Cow gentoo-dev 2020-11-23 00:03:32 UTC
The bug has been closed via the following commit(s):

commit 41acdc92e655eb64a0d667b3b612fd5312921656
Author:     William Hubbs <>
AuthorDate: 2020-11-22 23:41:54 +0000
Commit:     William Hubbs <>
CommitDate: 2020-11-23 00:03:27 +0000

    net-vpn/openconnect: 8.10-r1 revbump to fix openrc service
    This changes the openrc service to support the use of separate
    openconnect config files for each tunnel instead of setting the tunnel
    options in the conf.d files.
    The config files will be stored in /etc/openconnect/<tunnel>.conf. The
    contents of these config files is  defined in the openconnect man page.
    Signed-off-by: William Hubbs <>

 net-vpn/openconnect/files/README.OpenRC          |  30 +++++
 net-vpn/openconnect/files/openconnect.initd.8.10 | 105 ++++++++++++++++
 net-vpn/openconnect/openconnect-8.10-r1.ebuild   | 153 +++++++++++++++++++++++
 3 files changed, 288 insertions(+)
Comment 8 phkb 2020-11-23 09:58:53 UTC
Would it be possible to keep the support for the password_VPN variable? It can still be useful for several reasons:

1) In case one wants to call a command to retrieve the password
I call pass in my conf.d/openconnect, that way the passwords are not stored in plaintext.

2) In case 2FA is required with unsupported --token-mode
One of the VPNs I connect to requires 2FA with only the Android or iOS Duo app (that sucks). I've read the --token-mode help but I don't think I can use it to provide the code I get from the Duo app. The only solution seems to use --password-on-stdin and provide the code on the 2nd line, after the password.

In addition, it's not clear to me how to migrate the password from password_VPN to the config file. The README.OpenRC file only points to the man page, which says any command-line option can be put there. Except the only option I see for passwords is --password-on-stdin. Is there a --password option? (I guess probably not since that would leave the password readable by anyone). So how are we supposed to specify the password in the config file? Maybe this could be explained in the README.OpenRC file.
Comment 9 Larry the Git Cow gentoo-dev 2021-10-02 06:01:59 UTC
The bug has been referenced in the following commit(s):

commit e7ea3fbeadbd0524ea7d7498a8eb563b0b780495
Author:     Mike Gilbert <>
AuthorDate: 2021-10-02 05:54:38 +0000
Commit:     Mike Gilbert <>
CommitDate: 2021-10-02 06:00:09 +0000

    net-vpn/openconnect: revise init script
    Remove warnings about removal of variables.
    Restore sample conf.d file.
    Allow for missing config file.
    Use eval to allow quoted whitespace in vpnopts.
    Signed-off-by: Mike Gilbert <>

 net-vpn/openconnect/files/      |   2 +-
 net-vpn/openconnect/files/openconnect.initd        | 109 +++++++++++++++++++++
 ...t-8.10-r2.ebuild => openconnect-8.10-r3.ebuild} |   5 +-
 net-vpn/openconnect/openconnect-9999.ebuild        |   5 +-
 4 files changed, 118 insertions(+), 3 deletions(-)
Comment 10 Larry the Git Cow gentoo-dev 2021-10-02 17:20:01 UTC
The bug has been referenced in the following commit(s):

commit d08fe11b2b09f874ea8a2fbd296f69a4ce073702
Author:     Mike Gilbert <>
AuthorDate: 2021-10-02 17:07:50 +0000
Commit:     Mike Gilbert <>
CommitDate: 2021-10-02 17:19:57 +0000

    net-vpn/openconnect: rewrite initscript
    Support for the server_${VPN}, password_${VPN}, and vpnopts_${VPN}
    variables is dropped.
    Per-VPN variables are now defined in /etc/conf.d/openconnect.${vpn}.
    Instead of defining server and vpnopts, the user should set command_args
    which will be passed to openconnect via the default_start function.
    Support for 'password' and 'password_file' variables is added. If neither
    is specified, the password will be prompted for interactively.
    Support for up/down hooks is dropped. The functionality can be replaced
    with vpnc-script hooks.
    Signed-off-by: Mike Gilbert <>

 net-vpn/openconnect/files/README.OpenRC            |  25 +----
 net-vpn/openconnect/files/openconnect.confd        |   6 ++
 net-vpn/openconnect/files/openconnect.initd        | 107 +++------------------
 ...t-8.10-r3.ebuild => openconnect-8.10-r4.ebuild} |   2 +-
 net-vpn/openconnect/openconnect-9999.ebuild        |   2 +-
 5 files changed, 25 insertions(+), 117 deletions(-)