Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support asking for passwords again #650

Open
mathstuf opened this issue Dec 5, 2024 · 7 comments
Open

Support asking for passwords again #650

mathstuf opened this issue Dec 5, 2024 · 7 comments

Comments

@mathstuf
Copy link
Contributor

mathstuf commented Dec 5, 2024

Describe the bug
With MFA on the client side, it seems that OpenVPN only asks for a password once. If that fails, it just accepts that the authentication is invalid and doesn't ask again. Would it be possible to support sending a signal or some other mechanism to have a running instance ask for a password again?

To Reproduce
Have an MFA setup. I'm using a systemd-launched instance on the client side. It uses systemd's password authentication mechanism. I have a PR (#649) to remove the timeout, but even without it, if I get it wrong (e.g., enter a code just as it is invalidated or make a typo), I am never asked for the password again. It'd be nice if it would do so after a timeout (just like it does after the system comes back from being suspended and reconnecting) or I could send it a signal to prompt for authentication again.

Expected behavior
When asking for authentication information, ask again if something goes wrong.

Version information (please complete the following information):

  • OS: Fedora 40
  • OpenVPN version: OpenVPN 2.6.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
  • Repeat for peer if relevant
@mathstuf
Copy link
Contributor Author

mathstuf commented Dec 5, 2024

Oh, I see that openvpn exits if the auth fails…maybe I can get systemd to restart it in that case… Perhaps a dedicated exit code could be used? Meh, systemd just sees non-zero versus zero for regular exits.

@cron2
Copy link
Contributor

cron2 commented Dec 5, 2024

--auth-retry interact might help.

@mathstuf
Copy link
Contributor Author

mathstuf commented Dec 5, 2024

I have that in the client configuration file already. Here's the non-cert bits of the configuration file in use (some configuration fields anonymized):

dev tun
persist-tun
persist-key
data-ciphers CIPHER_LIST
data-ciphers-fallback CIPHER_LIST
keepalive 10 120
cipher CIPHER
auth AUTH_ALGO
tls-client
client
resolv-retry infinite
remote SERVER_HOSTNAME SERVER_PORT udp4
auth-user-pass
auth-retry interact
nobind
verify-x509-name "SERVER_HOSTNAME" name
remote-cert-tls server
explicit-exit-notify
reneg-sec 0
push-peer-info

@selvanair
Copy link
Contributor

Could you post the client log? If the server sends AUTH_FAIL on MFA mismatch, the client should start over with another round of user name and password prompt. That's what auth-retry interact is supposed to do.

@mathstuf
Copy link
Contributor Author

mathstuf commented Dec 5, 2024

Here are the logs around an MFA failure:

Dec 05 11:59:43 farprobe openvpn[256417]: 2024-12-05 11:59:43 AUTH: Received control message: AUTH_FAILED
Dec 05 11:59:43 farprobe openvpn[256417]: 2024-12-05 11:59:43 SIGUSR1[soft,auth-failure] received, process restarting
Dec 05 12:00:29 farprobe openvpn[258898]: Failed to query password: Timer expired
Dec 05 12:00:29 farprobe openvpn[256417]: 2024-12-05 12:00:29 ERROR: Failed retrieving username or password
Dec 05 12:00:29 farprobe openvpn[256417]: 2024-12-05 12:00:29 Exiting due to fatal error
Dec 05 12:00:29 farprobe systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Dec 05 12:00:29 farprobe systemd[1]: [email protected]: Failed with result 'exit-code'.
Dec 05 12:00:29 farprobe systemd[1]: [email protected]: Consumed 1.576s CPU time.

This might just be a conflation of the timeout issue that #649 is aiming to solve.

@cron2
Copy link
Contributor

cron2 commented Dec 5, 2024

Indeed, this is not actually an auth fail, just an expired password query (which is considered a "user does not want to proceed" situation by the openvpn core - same thing happens when you just press return at a password prompt in a terminal session).

@mathstuf
Copy link
Contributor Author

mathstuf commented Dec 5, 2024

Ok, thanks. Should I try to plumb some option to --timeout=0 in #649 or is it OK to make it unconditional? I think it might also make sense to pass --id=openvpn:<some-id> to help figure out which instance is asking (in the case of multiple copies), but I'm not sure where to get that from…maybe the path to the configuration file?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants