[opensuse-factory] SOLVED: openvpn as a service (client) --askpass for passwordless keys without
Hi, When on Tumbleweed and using openvpn as a client with passwordless ssl keys, you will find the service dead (e.g. on boot), waiting for a password. On a root terminal, rcopenvpn restart brings up a "enter your private key's password:" request that can be omitted by hitting the enter key. Tunnels will start then, but only then. I found the systemd openvpn startup script (which is linked to /etc/systemd/ system/multitarget.wants/... contains an option "--askpass" that caused the problem. Removing the option did the trick for me, but I am unsure if this is a bug, a feature or a security measure to educate people against passwordless keys. I just thought some other people might find this helpful, I didn't find anything online about this. Not yet. -- Markus Feilner Team Lead Documentation P.S.: I moved - new home address: Wöhrdstraße 10, 93059 Regensburg - - - _This incident will be documented._ - - - +49 173 5876 838 (also via Signal), privat: +49 170 302 7092 mfeilner@suse.[com|de] http://www.suse.com G+: https://plus.google.com/+MarkusFeilner Xing: http://www.xing.com/profile/Markus_Feilner LinkedIn: https://www.linkedin.com/in/markusfeilner #mfeilner: Jabber, Skype, Twitter openSUSE: http://www.opensuse.org - - - SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/05/2018, 03:19 PM, Markus Feilner wrote:
I found the systemd openvpn startup script (which is linked to /etc/systemd/ system/multitarget.wants/... contains an option "--askpass" that caused the problem.
Removing the option did the trick for me, but I am unsure if this is a bug, a feature or a security measure to educate people against passwordless keys.
I just thought some other people might find this helpful, I didn't find anything online about this. Not yet.
Please open a bug. This beats me too. thanks, -- js suse labs -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Jiri Slaby wrote:
On 03/05/2018, 03:19 PM, Markus Feilner wrote:
I found the systemd openvpn startup script (which is linked to /etc/systemd/ system/multitarget.wants/... contains an option "--askpass" that caused the problem.
Removing the option did the trick for me, but I am unsure if this is a bug, a feature or a security measure to educate people against passwordless keys.
I just thought some other people might find this helpful, I didn't find anything online about this. Not yet. Please open a bug. This beats me too.
There is already a bug report for this: https://bugzilla.opensuse.org/show_bug.cgi?id=985798 Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, I am still unsure if this is an openVPN bug or a Systemd "Feature", but it does not seem to be related to the bugs listed before. Here's what I found out today to fix it:
... the problem persists here, even after removing the --ask-pass option. Strange. Mind this: Calling openvpn --config returns the desired effect, but the systemd startup file does not. Strange. I will look into that. Should I add my findings to the bug in bugzilla? Somehow they don't seem to be related... (... later ...) Maybe I just found *my* solution: rcopenvpn status Warning: openvpn@fibonacci.service changed on disk. Run 'systemctl daemon- reload' to reload units. * openvpn@fibonacci.service - OpenVPN tunneling daemon instance using /etc/ openvpn/fibonacci.conf
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor
preset: disabled)
Active: active (running) since Wed 2018-03-14 14:28:34 CET; 2s ago
Process: 23847 ExecStart=/usr/sbin/openvpn --daemon --askpass --suppress-
timestamps --writepid /run/openvpn/fibonacci.pid --cd /etc/openvpn/ --config fibonacci.conf (code=exited, status=0
Main PID: 23851 (openvpn)
and after a systemctl daemon-reload the new ExecStart from the config file was being used. Weird and unintuitve, I guess: I changed openvpn's systemd startup file, killed the service, restarted it, but still I have to tell systemd about the change - I did not know that.
Again what learnt.
Can it be that Systemd caches a start file and needs a daemon-reload when I change it even if the correspondig service is not running? That sounds weird. I wonder if this is rather a systemd topic than a openvpn one.
Did that help? Am Freitag, 9. März 2018, 17:19:57 CET schrieb Bjoern Voigt:
Jiri Slaby wrote:
On 03/05/2018, 03:19 PM, Markus Feilner wrote:
I found the systemd openvpn startup script (which is linked to /etc/systemd/ system/multitarget.wants/... contains an option "--askpass" that caused the problem.
Removing the option did the trick for me, but I am unsure if this is a bug, a feature or a security measure to educate people against passwordless keys.
I just thought some other people might find this helpful, I didn't find anything online about this. Not yet.
Please open a bug. This beats me too.
There is already a bug report for this: https://bugzilla.opensuse.org/show_bug.cgi?id=985798
Greetings, Björn
-- Markus Feilner Team Lead Documentation P.S.: I moved - new home address: Wöhrdstraße 10, 93059 Regensburg - - - _This incident will be documented._ - - - +49 173 5876 838 (also via Signal), privat: +49 170 302 7092 mfeilner@suse.[com|de] http://www.suse.com G+: https://plus.google.com/+MarkusFeilner Xing: http://www.xing.com/profile/Markus_Feilner LinkedIn: https://www.linkedin.com/in/markusfeilner #mfeilner: Jabber, Skype, Twitter openSUSE: http://www.opensuse.org - - - SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
Hey,
I also can't create 802.1x connection (using certificates) and get the
similar error message.
NetworkManager can't establish it and tell me (I do it via nmcli) that
I provide no password for the pem-file.
This is in Leap 15.0 Beta and in the last TW version.
Before I send bugreport I would like to test it again in... Kubuntu,
for example.
On Wed, Mar 14, 2018 at 5:20 PM, Markus Feilner
Hi, I am still unsure if this is an openVPN bug or a Systemd "Feature", but it does not seem to be related to the bugs listed before.
Here's what I found out today to fix it:
... the problem persists here, even after removing the --ask-pass option. Strange. Mind this: Calling openvpn --config returns the desired effect, but the systemd startup file does not. Strange. I will look into that. Should I add my findings to the bug in bugzilla? Somehow they don't seem to be related... (... later ...) Maybe I just found *my* solution: rcopenvpn status Warning: openvpn@fibonacci.service changed on disk. Run 'systemctl daemon- reload' to reload units. * openvpn@fibonacci.service - OpenVPN tunneling daemon instance using /etc/ openvpn/fibonacci.conf
Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor
preset: disabled)
Active: active (running) since Wed 2018-03-14 14:28:34 CET; 2s ago
Process: 23847 ExecStart=/usr/sbin/openvpn --daemon --askpass --suppress-
timestamps --writepid /run/openvpn/fibonacci.pid --cd /etc/openvpn/ --config fibonacci.conf (code=exited, status=0
Main PID: 23851 (openvpn)
and after a systemctl daemon-reload the new ExecStart from the config file was being used. Weird and unintuitve, I guess: I changed openvpn's systemd startup file, killed the service, restarted it, but still I have to tell systemd about the change - I did not know that.
Again what learnt.
Can it be that Systemd caches a start file and needs a daemon-reload when I change it even if the correspondig service is not running? That sounds weird. I wonder if this is rather a systemd topic than a openvpn one.
Did that help?
Am Freitag, 9. März 2018, 17:19:57 CET schrieb Bjoern Voigt:
Jiri Slaby wrote:
On 03/05/2018, 03:19 PM, Markus Feilner wrote:
I found the systemd openvpn startup script (which is linked to /etc/systemd/ system/multitarget.wants/... contains an option "--askpass" that caused the problem.
Removing the option did the trick for me, but I am unsure if this is a bug, a feature or a security measure to educate people against passwordless keys.
I just thought some other people might find this helpful, I didn't find anything online about this. Not yet.
Please open a bug. This beats me too.
There is already a bug report for this: https://bugzilla.opensuse.org/show_bug.cgi?id=985798
Greetings, Björn
--
Markus Feilner Team Lead Documentation
P.S.: I moved - new home address: Wöhrdstraße 10, 93059 Regensburg - - - _This incident will be documented._ - - - +49 173 5876 838 (also via Signal), privat: +49 170 302 7092 mfeilner@suse.[com|de] http://www.suse.com G+: https://plus.google.com/+MarkusFeilner Xing: http://www.xing.com/profile/Markus_Feilner LinkedIn: https://www.linkedin.com/in/markusfeilner #mfeilner: Jabber, Skype, Twitter openSUSE: http://www.opensuse.org - - - SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
14.03.2018 19:20, Markus Feilner пишет:
Can it be that Systemd caches a start file and needs a daemon-reload when I change it even if the correspondig service is not running? That sounds weird. I wonder if this is rather a systemd topic than a openvpn one.
Did that help?
Not sure if this was a question, but - systemd does not *re*load unit definition unless explicitly told so by "systemctl daemon-reload". OTOH systemd attempts aggressive garbage collection - if unit becomes inactive and is not referenced by other unit, its definition is purged and so loaded again next time. Also systemd performs lazy loading - unit definition is not loaded until needed. So the answer to the above questions is "it depends" :) In general it is more safe to explicitly call "systemctl daemon-reload" after changing unit definition file.
Am Mittwoch, 14. März 2018, 18:19:55 CET schrieb Andrei Borzenkov:
14.03.2018 19:20, Markus Feilner пишет:
Can it be that Systemd caches a start file and needs a daemon-reload when I change it even if the correspondig service is not running? That sounds weird. I wonder if this is rather a systemd topic than a openvpn one.
Did that help?
Not sure if this was a question, but - systemd does not *re*load unit definition unless explicitly told so by "systemctl daemon-reload". OTOH systemd attempts aggressive garbage collection - if unit becomes inactive and is not referenced by other unit, its definition is purged and so loaded again next time. Also systemd performs lazy loading - unit definition is not loaded until needed. So the answer to the above questions is "it depends" :) In general it is more safe to explicitly call "systemctl daemon-reload" after changing unit definition file.
Nice. I never heard of that. Thanks a lot for explaining. Thus that sounds more like a hidden feature/gem of systemd rather than an openvpn or PKI flaw. Probably a classical OSI layer 8 bug. Sorry... :-) However, I think the openvpn people should discuss whether the --ask-pass parameter makes sense in the systemd unit file. P.S.: I may take your explanation in an update of my openvpn book. Might help someone... :-) -- Markus Feilner Team Lead Documentation P.S.: I moved - new home address: Wöhrdstraße 10, 93059 Regensburg - - - _This incident will be documented._ - - - +49 173 5876 838 (also via Signal), privat: +49 170 302 7092 mfeilner@suse.[com|de] http://www.suse.com G+: https://plus.google.com/+MarkusFeilner Xing: http://www.xing.com/profile/Markus_Feilner LinkedIn: https://www.linkedin.com/in/markusfeilner #mfeilner: Jabber, Skype, Twitter openSUSE: http://www.opensuse.org - - - SUSE Linux GmbH GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
participants (5)
-
Alex Naumov -
Andrei Borzenkov -
Bjoern Voigt -
Jiri Slaby -
Markus Feilner