[Bug 1204869] New: Network Manager asks for root password when adding AnyConnect VPN
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 Bug ID: 1204869 Summary: Network Manager asks for root password when adding AnyConnect VPN Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: x86-64 OS: openSUSE Tumbleweed Status: NEW Severity: Major Priority: P5 - None Component: KDE Workspace (Plasma) Assignee: opensuse-kde-bugs@opensuse.org Reporter: cosmin.tanczel@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- 1. I installed CISCO AnyConnect VPN (openconnect) plugin for Network Manager 2. Added the Gateway, Reported OS (Windows), enable Token Authentication (HOTP - Ask for this password every time) 3. Save - at this step I am asked for the root password because in the General Configuration tab the All user may connect to this network is enable by default. I type the root password and save the profile 4. Connect to the new profile - I am asked for the root password the credentials window appear and when I click connect, the window disappear (crash). I should not be asked for the root password since the connection should NOT be available for all users (this was the case before the update that happened about 1 week ago) Below the NetworkManager log: Oct 31 11:10:42 localhost.localdomain NetworkManager[882]: <info> [1667207442.1953] audit: op="statistics" interface="wlp0s20f3" ifindex=3 args="2000" pid=1810 uid=1000 result="success" Oct 31 11:10:43 localhost.localdomain NetworkManager[882]: <info> [1667207443.4192] vpn[0x55f09551e910,f8c9359d-1d7e-4913-b724-d83083426981,"ARRK"]: starting openconnect Oct 31 11:10:43 localhost.localdomain NetworkManager[882]: <info> [1667207443.4196] audit: op="connection-activate" uuid="f8c9359d-1d7e-4913-b724-d83083426981" name="TEST" pid=1810 uid=1000 result="success" Oct 31 11:10:43 localhost.localdomain NetworkManager[882]: <info> [1667207443.7242] audit: op="statistics" interface="wlp0s20f3" ifindex=3 args="0" pid=1810 uid=1000 result="success" Oct 31 11:10:58 localhost.localdomain NetworkManager[882]: <warn> [1667207458.9404] vpn[0x55f09551e910,f8c9359d-1d7e-4913-b724-d83083426981,"TEST"]: secrets: failed to request VPN secrets #3: No agents were available for this request. Oct 31 11:10:59 localhost.localdomain NetworkManager[882]: <info> [1667207459.1234] agent-manager: agent[686b738f8cd3bed4,:1.141/org.kde.plasma.networkmanagement/1000]: agent registered -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 Cosmin Tanczel <cosmin.tanczel@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Found By|--- |Community User -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c1 --- Comment #1 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Created attachment 862560 --> http://bugzilla.opensuse.org/attachment.cgi?id=862560&action=edit allow_all_users_by_default -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c2 --- Comment #2 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Tried adding a L2TP VPN connection also. If I manually disable All user may connect to this network (in General configuration tab), the connection can be save and it is successful. So I think there are 2 different topics here: 1. The network manager has been changed to always ask for the root password by default when creating new connections. This is wrong. 2. The openconnect VPN plugin does not find the necessary libraries to offer the user the token authentication window. This is also a regression. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c3 --- Comment #3 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- It seems that whatever connection I try to add it has the All user may connect to this network is enabled by default. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c4 Cosmin Tanczel <cosmin.tanczel@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P2 - High --- Comment #4 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Do we still have someone taking care of networking manager? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c5 Cosmin Tanczel <cosmin.tanczel@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |opensuse-kde-bugs@opensuse. | |org Flags| |needinfo?(opensuse-kde-bugs | |@opensuse.org) --- Comment #5 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Maybe related to this error I get right after KDE login? The gnome keyring socket is not owned with the same credentials as the user login: /run/user/1000/keyring/control -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c6 Luciano Santos <luc14n0@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |luc14n0@opensuse.org Component|KDE Workspace (Plasma) |Network Assignee|opensuse-kde-bugs@opensuse. |screening-team-bugs@suse.de |org | --- Comment #6 from Luciano Santos <luc14n0@opensuse.org> --- (In reply to Cosmin Tanczel from comment #4)
Do we still have someone taking care of networking manager?
Yes, there is. But they hardly would come across this bug if the wrong Component is chosen. Resorting Component to: Network -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 Luciano Santos <luc14n0@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|opensuse-kde-bugs@opensuse. | |org | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c7 --- Comment #7 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Not sure how is this related to Network since the connection works from cli (openconnect) and the only issue I have is when I am trying to connect from NM. And also.... How no. 2 is related to network?... But I might be wrong. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c8 --- Comment #8 from Luciano Santos <luc14n0@opensuse.org> --- You're getting it wrong on how bugs are categorized, but I realized that "Network" might not be the right place either. When filing bugs try to be precise on the information you post please. Use package names, what version, from what repository it was installed, etc, etc. This all will help people who's going to work on the bug, it's better go with more than less, OK?
vpn[0x55f09551e910,f8c9359d-1d7e-4913-b724-d83083426981,"TEST"]: secrets: failed to request VPN secrets #3: No agents were available for this request.
agent-manager: agent[686b738f8cd3bed4,:1.141/org.kde.plasma.networkmanagement/1000]: agent registered
From the excerpt you posted, it seems the VPN secrets request reach a timeout before an agent is ready. Unless I am misinterpreting it. Could you, please, make NM output more debugging information [1] and attach the relevant piece from the log to this bug? Something like:
sudo journalctl -u NetworkManager.service > NM-debug.log
probably should do. [1] https://wiki.gnome.org/Projects/NetworkManager/Debugging#Other_NetworkManage... -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c9 --- Comment #9 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- "You're getting it wrong on how bugs are categorized, but I realized that "Network" might not be the right place either." I thought...still do... that Network refers to the networking stack. Is this not the case? I update TW daily and the behavior is still the same so the version is the same as the latest present in the repos. Might be possible that no one has an available cisco vpn device to test, but I already tested with different Cisoc VPNs and different TW installations. I am explaining one more time: 1. When I want to add WHATEVER new VPN, the NM has the All user may connect to this network checked (enabled) by default. This is wrong and this is totally related to the NM. This is a regression ! 2. Even though I'm creating a new connection, disabling this, the NM applet behavior is the same. It crashes when I try to connect. Also a regression. This behavior seems to be the same for all plugins that requires 2FA (is NM using gnome-keyrings libraries??) I cannot provide debugging logs for NM only next week (traveling), but I thing the ones that I already sent are enough. If still needed, please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c10 Luciano Santos <luc14n0@opensuse.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Network |KDE Workspace (Plasma) Assignee|screening-team-bugs@suse.de |opensuse-kde-bugs@opensuse. | |org --- Comment #10 from Luciano Santos <luc14n0@opensuse.org> --- I'm sorry if I digressed. Focusing on the bug title and what has been said already:
1. I installed CISCO AnyConnect VPN (openconnect) plugin for Network Manager 2. Added the Gateway, Reported OS (Windows), enable Token Authentication (HOTP - Ask for this password every time) 3. Save - at this step I am asked for the root password because in the General Configuration tab the All user may connect to this network is enable by default. I type the root password and save the profile 4. Connect to the new profile - I am asked for the root password the credentials window appear and when I click connect, the window disappear (crash).
I should not be asked for the root password since the connection should NOT be available for all users (this was the case before the update that happened about 1 week ago)
Tried adding a L2TP VPN connection also. If I manually disable All user may connect to this network (in General configuration tab), the connection can be save and it is successful.
It seems that whatever connection I try to add it has the All user may connect to this network is enabled by default.
So the "All user may connect to this network" option used to not be selected before, and authentication wasn't required. Now, after some update, about a week before you filed this bug for some reason (around 2022-11-23, give or take), this option is selected by default and authentication is required. In my humble opinion, behavior-wise when the option is selected or not, that's not a bug. Regarding the change of defaults (before, the option was OFF, and now it's ON) I'll let the KDE folks to sort it out. (In reply to Cosmin Tanczel from comment #9)
I thought...still do... that Network refers to the networking stack. Is this not the case?
Basically yes. But it has more to do with which component the offending package falls under. Now, I get the picture of the issue being reported. I wasn't trying to be a pain in the neck for you. Changing the component back to KDE!
This behavior seems to be the same for all plugins that requires 2FA (is NM using gnome-keyrings libraries??)
No, NM doesn't use gnome-keyrings libraries. It uses PolicyKit instead [1].
I cannot provide debugging logs for NM only next week (traveling), but I thing the ones that I already sent are enough. If still needed, please let me know.
Let's hold that back for now as it might not be relevant to this bug specifically, unless you want to address those crashes too. If so, you better file a new bug then. I say this because one issue (the "All user may connect to this network" option) might not be related to the other (that culminates with the crashes when trying to connect to the VPN). Has the VPN connection stopped working at the same time when the "All user may..." option defaulted to ON? If so, it might really be helpful then. And, again, I'm sorry for the digressions and confusion I may have caused you. [1] https://github.com/openSUSE/polkit-default-privs -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c11 --- Comment #11 from Cosmin Tanczel <cosmin.tanczel@gmail.com> ---
So the "All user may connect to this network" option used to not be selected >before, and authentication wasn't required. Now, after some update, about a week >before you filed this bug for some reason (around 2022-11-23, give or take), this >option is selected by default and authentication is required.
In my humble opinion, behavior-wise when the option is selected or not, that's >not a bug. Regarding the change of defaults (before, the option was OFF, and now >it's ON) I'll let the KDE folks to sort it out.
Well... not sure how to name it, but for sure it's not ok to have it enable by default, because it obliges the normal user to always uncheck this option before creating a new VPN connection. Otherwise he needs to enter the root password that he might not know. But this is just my humble opinion
Has the VPN connection stopped working at the same time when the "All user >may..." option defaulted to ON? If so, it might really be helpful then.
Yes, the VPN stopped working the same time this was added. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c12 --- Comment #12 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Just discovered something important for this ticket: The created VPN crashes when the offered certificate is detected as being invalid. Explanation: The CISCO VPN device I use to connect to, has a valid certificate signed for a specific domain. Lets name it domain.com. If the new VPN profile is created with IP as a Gateway value, instead the domain.com as the Gateway value, the behavior is the one I described, the NM crashes, even though I consent that I accept the invalid certificate ! See: openconnect-ciscoAnyConnect-VPN.png If the new VPN profile is created with domain.com as the Gateway value (the domain the certificate was created/signed for) the connection works ! The other issue (All users may connect to this network) stays. So to conclude: I guess introducing "All users may connect to this network" is not causing the NM to crash. Accepting the invalid certificate cause the NM to crash. Also the NM seems to crash in such a way that no other connection works anymore. Whatever I am trying to connect to, using NM, results in nothing happening. No reaction from the NM. The only thing I get in logs is the line regards to agent not being present. After a NM crash, if I open NM setting and click on whatever connect (to edit) I get an error: See system_error_multiple.png If I try to delete a connection I also get an error: See system_error_after_failed_VPN_connection.png -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c13 --- Comment #13 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Created attachment 862776 --> http://bugzilla.opensuse.org/attachment.cgi?id=862776&action=edit openconnect-ciscoAnyConnect-VPN -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c14 --- Comment #14 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Created attachment 862777 --> http://bugzilla.opensuse.org/attachment.cgi?id=862777&action=edit system_error_multiple -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c15 --- Comment #15 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Created attachment 862778 --> http://bugzilla.opensuse.org/attachment.cgi?id=862778&action=edit system_error_after_failed_VPN_connection -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1204869 http://bugzilla.opensuse.org/show_bug.cgi?id=1204869#c16 Cosmin Tanczel <cosmin.tanczel@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #16 from Cosmin Tanczel <cosmin.tanczel@gmail.com> --- Seems to be solved now! Closing the tickte -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com