Page 1 of 1
OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file
Posted: Wed May 20, 2020 2:08 pm
by lvd
I'm using OpenVPN 2.4.7 from ubuntu20.04 distribution.
My config file is following:
Code: Select all
client
dev tun
proto udp
remote some.domain.name.here 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /etc/openvpn/ca.crt
remote-cert-tls server
tls-auth /etc/openvpn/ta.key 1
cipher AES-128-CBC
comp-lzo
verb 3
auth-user-pass /etc/openvpn/auth.txt
askpass /etc/openvpn/pkcs_pass.txt
pkcs11-providers /usr/lib/libeTPkcs11.so
pkcs11-id 'SafeNet\x2C\x20Inc\x2E/eToken/********/********/********'
(note pkcs11-providers dynamic library).
When I start the client like this: sudo openvpn --config /etc/openvpn/ovpn.conf, it runs like this:
Code: Select all
....
Wed May 20 13:05:54 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Wed May 20 13:05:54 2020 VERIFY EKU OK
Wed May 20 13:05:54 2020 VERIFY OK: depth=0, C=***, ST=***, L=***, O=***, CN=***, emailAddress=***
Enter ******** token Password: ***************************
Wed May 20 13:05:59 2020 Control Channel: TLSv1, cipher SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed May 20 13:05:59 2020 [********] Peer Connection Initiated with [AF_INET]******************
....
And specifically, it is still requesting cert/token password. When the password is entered, it proceeds normally further.
My question is, how to supply a password in separate file in this case? `askpass` with the correct password in the file is not helping, it seems to be ignored.
Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file
Posted: Wed May 20, 2020 2:21 pm
by TinCanTech
What happens if you try like so:
Code: Select all
# askpass /etc/openvpn/pkcs_pass.txt
?
Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file
Posted: Wed May 20, 2020 2:37 pm
by lvd
Commenting out askpass changes nothing -- exactly the same password request.
Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file
Posted: Wed May 20, 2020 2:48 pm
by TinCanTech
My guess would be that:
--askpass file does not supply a token password to your --pkcs11-providers library
Perhaps the library has some documentation ..
Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file
Posted: Wed May 20, 2020 2:53 pm
by lvd
Actually, my guess is the same.
But I can't yet find docs on using safenet tokens this way.
Are there any hacks like supplying password through stdin like "openvpn ... <password.file" ?
Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file
Posted: Wed May 20, 2020 3:02 pm
by TinCanTech
lvd wrote: ↑Wed May 20, 2020 2:53 pm
Are there any hacks like supplying password through stdin like "openvpn ... <password.file" ?
None that I am aware of, that is why there is --askpass and --auth-user-pass
file options.
Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file
Posted: Wed May 20, 2020 7:09 pm
by lvd
I've done some research with strace and now I see, that password request is done by openvpn itself, using systemd-ask-password executable. So it is probably not a problem of the underlying dynamic library.
Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file
Posted: Wed May 20, 2020 7:24 pm
by TinCanTech
Sounds like some kind of incompatibility between your SafeNet device (guessing) and openvpn.
I'm not sure of what to expect if a third party device is in use ..
Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file
Posted: Sun Jun 07, 2020 4:42 pm
by lvd
Well, I've made some research...
The password (or pin code) is requested by the openvpn callback function _pkcs11_openvpn_pin_prompt(). It calls get_user_pass() for that pincode, passing always NULL as 'auth_pass' argument. When 'auth_pass' supplied with correct filename, get_user_pass() would read password from there instead of asking user to enter it.
Therefore, asking for "pin" will always ask user to enter password from keyboard.
I've also made a quick hack to re-use "askpass" argument to supply it as the "pin", that uses global_data as the filename:
Code: Select all
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 70cd493a..c90c449d 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -654,7 +654,7 @@ context_init_1(struct context *c)
if (c->first_time)
{
int i;
- pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
+ pkcs11_initialize(true, c->options.pkcs11_pin_cache_period,c->options.key_pass_file);
for (i = 0; i<MAX_PARMS && c->options.pkcs11_providers[i] != NULL; i++)
{
pkcs11_addProvider(c->options.pkcs11_providers[i], c->options.pkcs11_protected_authentication[i],
diff --git a/src/openvpn/pkcs11.c b/src/openvpn/pkcs11.c
index d40ca458..1b616a50 100644
--- a/src/openvpn/pkcs11.c
+++ b/src/openvpn/pkcs11.c
@@ -34,6 +34,7 @@
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
#include "basic.h"
#include "error.h"
+#include "options.h"
#include "manage.h"
#include "base64.h"
#include "pkcs11.h"
@@ -241,7 +242,7 @@ _pkcs11_openvpn_pin_prompt(
struct user_pass token_pass;
char prompt[1024];
- (void)global_data;
+// (void)global_data;
(void)user_data;
(void)retry;
@@ -255,7 +256,7 @@ _pkcs11_openvpn_pin_prompt(
if (
!get_user_pass(
&token_pass,
- NULL,
+ (const char *)global_data,
prompt,
GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY|GET_USER_PASS_NOFATAL
)
@@ -282,7 +283,8 @@ _pkcs11_openvpn_pin_prompt(
bool
pkcs11_initialize(
const bool protected_auth,
- const int nPINCachePeriod
+ const int nPINCachePeriod,
+ const char * key_pass_file
)
{
CK_RV rv = CKR_FUNCTION_FAILED;
@@ -324,7 +326,7 @@ pkcs11_initialize(
goto cleanup;
}
- if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
+ if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, (void *)key_pass_file)) != CKR_OK)
{
msg(M_FATAL, "PKCS#11: Cannot set hooks %ld-'%s'", rv, pkcs11h_getMessage(rv));
goto cleanup;
diff --git a/src/openvpn/pkcs11.h b/src/openvpn/pkcs11.h
index 66c6a7e1..8ffcaacf 100644
--- a/src/openvpn/pkcs11.h
+++ b/src/openvpn/pkcs11.h
@@ -31,7 +31,8 @@
bool
pkcs11_initialize(
const bool fProtectedAuthentication,
- const int nPINCachePeriod
+ const int nPINCachePeriod,
+ const char * key_pass_file
);
void
Re: OpenVPN client keeps asking for certificate/token password despite "askpass " option in config file
Posted: Sun Oct 03, 2021 12:06 pm
by maglub
I am also curious how to get the --askpass to work out of the box. I have tested:
* Version 2.4.7
* Version 2.5.3
But none of them works. I am curious how to write a proper bug-ticket for this, as the --askpass for pkcs11 would be very useful in my scenario (I want openvpn to start unattended on a raspberry pi from a udev rule, which works with a patched binary, as described above/below).
I tried the patch mentioned by "lvd" on a Raspberry Pi, Raspbian 10 (buster), on openvpn 2.5.3. Their patch works as described.
Code: Select all
sudo apt -y install libssl-dev liblzo2-dev libpam0g-dev build-essential -y
sudo apt -y install libsystemd-dev libpkcs11-helper1-dev
wget https://swupdate.openvpn.org/community/releases/openvpn-2.5.3.tar.gz
I have the following changes in the source tree (more or less the same as above, just a few row numbers that are different):
Code: Select all
cd openvpn-2.5.3
diff -r ./src/openvpn/init.c ../../openvpn-2.5.3/src/openvpn/init.c
707c707,708
< pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
---
> //XXX pkcs11_initialize(true, c->options.pkcs11_pin_cache_period);
> pkcs11_initialize(true, c->options.pkcs11_pin_cache_period,c->options.key_pass_file);
diff -r ./src/openvpn/pkcs11.c ../../openvpn-2.5.3/src/openvpn/pkcs11.c
36a37
> #include "options.h"
244c245
< (void)global_data;
---
> //XXX (void)global_data;
258c259,260
< NULL,
---
> //XXX NULL,
> (const char *)global_data,
285c287,289
< const int nPINCachePeriod
---
> //XXX const int nPINCachePeriod
> const int nPINCachePeriod,
> const char * key_pass_file
327c331,332
< if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
---
> //XXX if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, NULL)) != CKR_OK)
> if ((rv = pkcs11h_setPINPromptHook(_pkcs11_openvpn_pin_prompt, (void *)key_pass_file)) != CKR_OK)
diff -r ./src/openvpn/pkcs11.h ../../openvpn-2.5.3/src/openvpn/pkcs11.h
34c34,36
< const int nPINCachePeriod
---
> //XXX const int nPINCachePeriod
> const int nPINCachePeriod,
> const char * key_pass_file
$ diff -r src/openvpn/pkcs11.h ../../openvpn-2.5.3/src/openvpn/pkcs11.h
34c34,36
< const int nPINCachePeriod
---
> //XXX const int nPINCachePeriod
> const int nPINCachePeriod,
> const char * key_pass_file
And then I configured and compiled, built from source:
Code: Select all
cd openvpn-2.5.3
./configure --enable-pkcs11 \
--enable-iproute2 \
--enable-x509-alt-username \
--enable-systemd
time make
And lastly, I replaced the binary in /usr/sbin:
Code: Select all
sudo mv /usr/sbin/openvpn /usr/sbin/openvpn.old
sudo cp src/openvpn/openvpn /usr/sbin/openvpn
Thanks for pointing me in this direction. I would never have thought of the callback function to be broken.
//magnus