debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #05043
[Bug 2119683] [NEW] Multi factor authentication challenges in openvpn network manager show up as a dialog for "Password"
Public bug reported:
I was able to get multi-factor authentication to work with a second
factor authentication token (Microsoft Authenticator) at my place of
employment. It's a random multi-digit code that refreshes every 30
seconds. However, when connecting using OpenVpn, I get a prompt to enter
in my password. After successfully entering in the password, some more
negotiation happens with the server, I then get prompted with another
dialog window re-asking for my "password". This second window accepts
the multi-digit authentication code. Though this works, it is quite
confusing to see the words "Enter password". There is probably some
sort of messaging that takes place between the server and the client to
be able to mark this second dialog window an "Authentication Token" and
not a "password" dialog. It seems silly, but less technical people who
don't work with openvpn on the daily or people who don't have the time
aren't going to look into the issue further and in stead just say that
it's not working.
lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04.3 LTS
Release: 24.04
network-manager-openvpn-gnome/noble,now 1.10.2-4build2 amd64 [installed,automatic]
network-manager-openvpn/noble,now 1.10.2-4build2 amd64 [installed,automatic]
openvpn/noble-updates,now 2.6.14-0ubuntu0.24.04.1 amd64 [installed,automatic]
Full log output:
Aug 06 14:11:54 HOSTNAME NetworkManager[1921]: <info> [1754511114.3746] vpn[0x64caef73a5f0,UUID,"VPN_NAME"]: starting openvpn
Aug 06 14:11:54 HOSTNAME NetworkManager[1921]: <info> [1754511114.3753] audit: op="connection-activate" uuid="UUID" name="VPN_NAME" pid=4381 uid=1000 result="success"
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: DCO version: N/A
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Aug 06 14:11:55 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:56 HOSTNAME nm-openvpn[255969]: AUTH: Received control message: AUTH_FAILED
Aug 06 14:11:56 HOSTNAME nm-openvpn[255969]: SIGUSR1[soft,auth-failure] received, process restarting
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:11 HOSTNAME nm-openvpn[255969]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:245:BASE64_STRING:Enter Your Microsoft verification code
Aug 06 14:12:11 HOSTNAME nm-openvpn[255969]: SIGUSR1[soft,auth-failure] received, process restarting
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:22 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: TUN/TAP device tun0 opened
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 255961 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_XX --tun -- tun0 1500 0 192.168.113.5 255.255.255.0 init
Aug 06 14:12:28 HOSTNAME NetworkManager[1921]: <info> [1754511148.3530] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/13)
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: UID set to nm-openvpn
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: GID set to nm-openvpn
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: Capabilities retained: CAP_NET_ADMIN
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: Initialization Sequence Completed
** Affects: network-manager-openvpn (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to network-manager-openvpn in
Ubuntu.
https://bugs.launchpad.net/bugs/2119683
Title:
Multi factor authentication challenges in openvpn network manager show
up as a dialog for "Password"
Status in network-manager-openvpn package in Ubuntu:
New
Bug description:
I was able to get multi-factor authentication to work with a second
factor authentication token (Microsoft Authenticator) at my place of
employment. It's a random multi-digit code that refreshes every 30
seconds. However, when connecting using OpenVpn, I get a prompt to
enter in my password. After successfully entering in the password,
some more negotiation happens with the server, I then get prompted
with another dialog window re-asking for my "password". This second
window accepts the multi-digit authentication code. Though this works,
it is quite confusing to see the words "Enter password". There is
probably some sort of messaging that takes place between the server
and the client to be able to mark this second dialog window an
"Authentication Token" and not a "password" dialog. It seems silly,
but less technical people who don't work with openvpn on the daily or
people who don't have the time aren't going to look into the issue
further and in stead just say that it's not working.
lsb_release -rd
No LSB modules are available.
Description: Ubuntu 24.04.3 LTS
Release: 24.04
network-manager-openvpn-gnome/noble,now 1.10.2-4build2 amd64 [installed,automatic]
network-manager-openvpn/noble,now 1.10.2-4build2 amd64 [installed,automatic]
openvpn/noble-updates,now 2.6.14-0ubuntu0.24.04.1 amd64 [installed,automatic]
Full log output:
Aug 06 14:11:54 HOSTNAME NetworkManager[1921]: <info> [1754511114.3746] vpn[0x64caef73a5f0,UUID,"VPN_NAME"]: starting openvpn
Aug 06 14:11:54 HOSTNAME NetworkManager[1921]: <info> [1754511114.3753] audit: op="connection-activate" uuid="UUID" name="VPN_NAME" pid=4381 uid=1000 result="success"
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: OpenVPN 2.6.14 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] [DCO]
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: library versions: OpenSSL 3.0.13 30 Jan 2024, LZO 2.10
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: DCO version: N/A
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:54 HOSTNAME nm-openvpn[255969]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Aug 06 14:11:55 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:11:56 HOSTNAME nm-openvpn[255969]: AUTH: Received control message: AUTH_FAILED
Aug 06 14:11:56 HOSTNAME nm-openvpn[255969]: SIGUSR1[soft,auth-failure] received, process restarting
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:10 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:11 HOSTNAME nm-openvpn[255969]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:245:BASE64_STRING:Enter Your Microsoft verification code
Aug 06 14:12:11 HOSTNAME nm-openvpn[255969]: SIGUSR1[soft,auth-failure] received, process restarting
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCP/UDP: Preserving recently used remote address: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: Attempting to establish TCP connection with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCP connection established with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link local: (not bound)
Aug 06 14:12:21 HOSTNAME nm-openvpn[255969]: TCPv4_CLIENT link remote: [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:22 HOSTNAME nm-openvpn[255969]: [VPN Server] Peer Connection Initiated with [AF_INET]IP_ADDRESS:PORT
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: TUN/TAP device tun0 opened
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: /usr/libexec/nm-openvpn-service-openvpn-helper --debug 0 255961 --bus-name org.freedesktop.NetworkManager.openvpn.Connection_XX --tun -- tun0 1500 0 192.168.113.5 255.255.255.0 init
Aug 06 14:12:28 HOSTNAME NetworkManager[1921]: <info> [1754511148.3530] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/13)
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: UID set to nm-openvpn
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: GID set to nm-openvpn
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: Capabilities retained: CAP_NET_ADMIN
Aug 06 14:12:28 HOSTNAME nm-openvpn[255969]: Initialization Sequence Completed
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/2119683/+subscriptions
Follow ups