[kde] [Bug 350521] New: kdeplasma-applets-plasma-nm does not support OTP Tokens for OpenVPN connections

vst slava18+bugs at gmail.com
Wed Jul 22 21:23:42 BST 2015 

https://bugs.kde.org/show_bug.cgi?id=350521

            Bug ID: 350521
           Summary: kdeplasma-applets-plasma-nm does not support OTP
                    Tokens for OpenVPN connections
           Product: kde
           Version: 4.14.1
          Platform: Archlinux Packages
                OS: Linux
            Status: UNCONFIRMED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: unassigned-bugs at kde.org
          Reporter: slava18+bugs at gmail.com

My company uses OTP with OpenVPN, so we have a three-factor authentication:
1) the private key
2) the username/password combination
3) an OTP token generated by Google Authenticator (on a separate prompt)

I use the kdeplasma-applets-plasma-nm package as my NM GUI, and it does not
know how to respond to the OTP challenge.
Here is the documentation on the CHALLENGE/RESPONSE protocol (at the bottom of
the page):
https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
It says client UIs should add explicit support for the challenge/response
protocol. We use the 'dynamic' variation of the protocol, judging by the NM
output in the logs.

Reproducible: Always

Steps to Reproduce:
1. Create an OpenVPN connection in the NM KDE Plasma applet
2. Start the connection
3. Have your key, username/password, OTP application ready

Actual Results:  
Jul 22 18:07:06 vst NetworkManager[23350]: <info>  Starting VPN service
'openvpn'...
Jul 22 18:07:06 vst NetworkManager[23350]: <info>  VPN service 'openvpn'
started (org.freedesktop.NetworkManager.openvpn), PID 14500
Jul 22 18:07:06 vst NetworkManager[23350]: <info>  VPN service 'openvpn'
appeared; activating connections
Jul 22 18:07:06 vst NetworkManager[23350]: <info>  VPN plugin state changed:
starting (3)
Jul 22 18:07:06 vst NetworkManager[23350]: <info>  VPN connection 'VPN OTP'
(Connect) reply received.
Jul 22 18:07:06 vst nm-openvpn[14501]: OpenVPN 2.3.6 x86_64-unknown-linux-gnu
[SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014  
Jul 22 18:07:06 vst nm-openvpn[14501]: library versions: OpenSSL 1.0.2d 9 Jul
2015, LZO 2.09
Jul 22 18:07:06 vst NetworkManager[23350]: nm-openvpn-Message: openvpn started
with pid 14501
Jul 22 18:07:06 vst nm-openvpn[14501]: WARNING: No server certificate
verification method has been enabled.  See http://openvpn.net/howto.html#mitm
for more info.
Jul 22 18:07:06 vst nm-openvpn[14501]: NOTE: the current --script-security
setting may allow this configuration to call user-defined scripts 
Jul 22 18:07:06 vst nm-openvpn[14501]: WARNING: file '/home/vst/ovpn3/vst.key'
is group or others accessible
Jul 22 18:07:06 vst nm-openvpn[14501]: WARNING: file '/home/vst/ovpn3/ta.key'
is group or others accessible
Jul 22 18:07:06 vst nm-openvpn[14501]: Control Channel Authentication: using
'/home/vst/ovpn3/ta.key' as a OpenVPN static key file
Jul 22 18:07:06 vst nm-openvpn[14501]: UDPv4 link local: [undef] 
Jul 22 18:07:06 vst nm-openvpn[14501]: UDPv4 link remote:
[AF_INET]ovpnhost:1194
Jul 22 18:07:08 vst nm-openvpn[14501]: [OpenVPN Server] Peer Connection
Initiated with [AF_INET]ovpnhost:1194
Jul 22 18:07:10 vst nm-openvpn[14501]: AUTH: Received control message:
AUTH_FAILED,CRV1:R,E:VM2+d9zeWvqrTIgufNqZHGloeSAoTUbb:dnN0ZXRza2V2eWNo:OTP
Token:
Jul 22 18:07:10 vst nm-openvpn[14501]: SIGUSR1[soft,auth-failure] received,
process restarting
Jul 22 18:07:10 vst NetworkManager[23350]: <warn>  VPN plugin failed:
login-failed (0)
Jul 22 18:07:10 vst NetworkManager[23350]: <info>  VPN plugin state changed:
stopped (6)
Jul 22 18:07:10 vst NetworkManager[23350]: <info>  VPN plugin state change
reason: login-failed (10)
Jul 22 18:07:10 vst NetworkManager[23350]: <warn>  error disconnecting VPN:
Could not process the request because no VPN connection was active. 
Jul 22 18:07:10 vst NetworkManager[23350]: (nm-openvpn-service:14500):
nm-openvpn-WARNING **: Password verification failed
Jul 22 18:07:30 vst NetworkManager[23350]: <info>  VPN service 'openvpn'
disappeared

Expected Results:  
Here's a try with the official console client. Connects fine.
[root at vst ~]# openvpn --config /home/vst/ovpn3/ovpn3.conf
Wed Jul 22 23:01:55 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)]
[LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014
Wed Jul 22 23:01:55 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Enter Auth Username: ************
Enter Auth Password: ***********************
CHALLENGE: OTP Token:
Response: ******
Wed Jul 22 23:02:16 2015 Control Channel Authentication: tls-auth using INLINE
static key file
Wed Jul 22 23:02:16 2015 Outgoing Control Channel Authentication: Using 160 bit
message hash 'SHA1' for HMAC authentication
Wed Jul 22 23:02:16 2015 Incoming Control Channel Authentication: Using 160 bit
message hash 'SHA1' for HMAC authentication
Wed Jul 22 23:02:16 2015 Socket Buffers: R=[212992->200000] S=[212992->200000]
Wed Jul 22 23:02:16 2015 UDPv4 link local: [undef]
Wed Jul 22 23:02:16 2015 UDPv4 link remote: [AF_INET]ovpnhost:1194
Wed Jul 22 23:02:16 2015 TLS: Initial packet from [AF_INET]ovpnhost:1194,
sid=14519136 d810d773
Wed Jul 22 23:02:16 2015 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
Wed Jul 22 23:02:19 2015 VERIFY OK: depth=1, CN=OpenVPN CA
Wed Jul 22 23:02:19 2015 VERIFY OK: nsCertType=SERVER
Wed Jul 22 23:02:19 2015 VERIFY OK: depth=0, CN=OpenVPN Server
...............  connection successful

Please fix the client so that it prompts for the challenge. Could use some kind
of an askpass program maybe.

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the Unassigned-bugs mailing list