OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
lvd
OpenVpn Newbie
Posts: 4
Joined: Wed May 20, 2020 2:00 pm

OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file

Post by lvd » Wed May 20, 2020 2:08 pm

I'm using OpenVPN 2.4.7 from ubuntu20.04 distribution.
My config file is following:

Code: Select all

client
dev tun
proto udp
remote some.domain.name.here 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3
auth-user-pass /etc/openvpn/auth.txt
askpass /etc/openvpn/pkcs_pass.txt

pkcs11-providers /usr/lib/libeTPkcs11.so
pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/********/********/********'

(note pkcs11-providers dynamic library).

When I start the client like this: sudo openvpn --config /etc/openvpn/ovpn.conf, it runs like this:

Code: Select all

....
Wed May 20 13:05:54 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed May 20 13:05:54 2020 VERIFY EKU OK
Wed May 20 13:05:54 2020 VERIFY OK: depth=0, C=***, ST=***, L=***, O=***, CN=***, emailAddress=***
Enter ******** token Password: ***************************
Wed May 20 13:05:59 2020 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed May 20 13:05:59 2020 [********] Peer Connection Initiated with [AF_INET]******************
....
And specifically, it is still requesting cert/token password. When the password is entered, it proceeds normally further.

My question is, how to supply a password in separate file in this case? `askpass` with the correct password in the file is not helping, it seems to be ignored.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file

Post by TinCanTech » Wed May 20, 2020 2:21 pm

What happens if you try like so:

Code: Select all

# askpass /etc/openvpn/pkcs_pass.txt
?

lvd
OpenVpn Newbie
Posts: 4
Joined: Wed May 20, 2020 2:00 pm

Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file

Post by lvd » Wed May 20, 2020 2:37 pm

Commenting out askpass changes nothing -- exactly the same password request.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file

Post by TinCanTech » Wed May 20, 2020 2:48 pm

My guess would be that:

--askpass file does not supply a token password to your --pkcs11-providers library

Perhaps the library has some documentation ..

lvd
OpenVpn Newbie
Posts: 4
Joined: Wed May 20, 2020 2:00 pm

Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file

Post by lvd » Wed May 20, 2020 2:53 pm

Actually, my guess is the same. :)
But I can't yet find docs on using safenet tokens this way.

Are there any hacks like supplying password through stdin like "openvpn ... <password.file" ?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file

Post by TinCanTech » Wed May 20, 2020 3:02 pm

lvd wrote:
Wed May 20, 2020 2:53 pm
Are there any hacks like supplying password through stdin like "openvpn ... <password.file" ?
None that I am aware of, that is why there is --askpass and --auth-user-pass file options.

lvd
OpenVpn Newbie
Posts: 4
Joined: Wed May 20, 2020 2:00 pm

Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file

Post by lvd » Wed May 20, 2020 7:09 pm

I've done some research with strace and now I see, that password request is done by openvpn itself, using systemd-ask-password executable. So it is probably not a problem of the underlying dynamic library.
Last edited by lvd on Wed May 20, 2020 7:28 pm, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file

Post by TinCanTech » Wed May 20, 2020 7:24 pm

Sounds like some kind of incompatibility between your SafeNet device (guessing) and openvpn.

I'm not sure of what to expect if a third party device is in use ..

Post Reply