FS#33588 - [openvpn] 2.3 Regression

Attached to Project: Arch Linux
Opened by Curtis (foxcm2000) - Sunday, 27 January 2013, 03:34 GMT
Last edited by Thomas Bächler (brain0) - Saturday, 09 February 2013, 14:58 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Thomas Bächler (brain0)
Architecture x86_64
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

After having used openvpn in multiple versions for several years without problems, the upgrade to version 2.3 brought this error:

Sat Jan 26 22:30:33 2013 OpenVPN 2.3.0 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Jan 20 2013
Sat Jan 26 22:30:33 2013 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sat Jan 26 22:30:33 2013 ERROR: could not not read Private Key password from stdin
Sat Jan 26 22:30:33 2013 Exiting due to fatal error


Additional info:
* package version(s): OpenVPN 2.3


Steps to reproduce:

1. Upgrade to OpenVPN 2.3
2. Run the openvpn client with a private key that requires a passphrase.
3. Instead of prompting for the passphrase, OpenVPN immediately bombs out
This task depends upon

Closed by  Thomas Bächler (brain0)
Saturday, 09 February 2013, 14:58 GMT
Reason for closing:  Fixed
Additional comments about closing:  openvpn 2.3.0-2
Comment by Thomas Bächler (brain0) - Sunday, 27 January 2013, 18:39 GMT
There have been changes regarding reading passphrases, in particular, OpenVPN uses systemd-ask-password to query passphrases (this is needed so that it can prompt for a passphrase when run from a systemd service). IIRC, if this option is enabled, OpenVPN will never query from standard input and always use systemd-ask-password, regardless whether standard input is available or not.

Is your system running systemd?
Comment by Curtis (foxcm2000) - Sunday, 27 January 2013, 22:30 GMT
Yes, my system runs sytemd and I have just confirmed that systemd-ask-pass is installed and that I can run it.
Comment by Lukas Fleischer (lfleischer) - Tuesday, 29 January 2013, 06:40 GMT
I can reproduce this, running openvpn 2.3.0-1 and systemd 197-4. From `strace -f openvpn [...]`:

----
[pid 12239] close(3) = 0
[pid 12239] dup2(4, 1) = 1
[pid 12239] execve("/bin/systemd-ask-password", ["/bin/systemd-ask-password", "Enter Auth Username:"], [/* 0 vars */]) = -1 ENOENT (No such file or directory)
[pid 12239] exit_group(127) = ?
----

Looks like the systemd-ask-password path is hardcoded to "/bin/systemd-ask-password"...
Comment by Thomas Bächler (brain0) - Tuesday, 29 January 2013, 09:38 GMT
Oh yes, I didn't catch that. That can be easily patched. Workaround until I get to fix the package: ln -s /usr/bin/systemd-ask-password /bin
Comment by Curtis (foxcm2000) - Tuesday, 29 January 2013, 14:19 GMT
Thanks for finding the bug & suggesting the work-around. As a side-note, should the dependencies for the openvpn package be updated to list systemd as (at least) an optional dependency? I'm in good shape since I've upgraded to systemd, but other users might want more of a warning about this issue.
Comment by Thomas Bächler (brain0) - Tuesday, 29 January 2013, 14:25 GMT
From the openvpn source code:

#ifdef ENABLE_SYSTEMD
if (check_systemd_running ())
return get_console_input_systemd (prompt, echo, input, capacity);
#endif

If systemd is not running, then (contrary to my first statement) openvpn falls back to querying input from the controlling terminal. This is done without the need to access libsystemd-daemon. There is thus no need for a systemd dependency.
Comment by Curtis (foxcm2000) - Tuesday, 29 January 2013, 23:51 GMT
OK, I have tested it with the work-around in place and it is running fine. Go ahead and close the bug once the patched version with the correct path is out. Thanks for your help!
Comment by Lukas Fleischer (lfleischer) - Wednesday, 30 January 2013, 08:57 GMT
Works fine here after applying attached patch. Maybe this should also be "fixed" upstream ("fixed" as in using a configurable/dynamic path)?
   openvpn-2.3.0-fix-systemd-ask... (0.4 KiB)
Comment by Lukas Fleischer (lfleischer) - Wednesday, 30 January 2013, 09:00 GMT
Also attached my PKGBUILD changes (even though they are pretty straightforward).
   openvpn-2.3.0-1-PKGBUILD.diff (1.3 KiB)

Loading...