[Desktop-packages] [Bug 1734735] Re: [xenial] nm-openvpn continuously retries with bad password after receiving AUTH_FAIL locking out my account

Launchpad Bug Tracker Fri, 24 May 2019 04:31:28 -0700

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: network-manager-openvpn (Ubuntu)
       Status: New => Confirmed


-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to network-manager-openvpn in Ubuntu.
https://bugs.launchpad.net/bugs/1734735

Title:
  [xenial] nm-openvpn continuously retries with bad password after
  receiving AUTH_FAIL locking out my account

Status in network-manager-openvpn package in Ubuntu:
  Confirmed

Bug description:
  I have nm-openvpn configured via the network manager gui on Xenial
  with a saved password. My organization has a password expiration
  policy of X days. If I forgot to update the saved password for nm-
  openvpn and try to VPN in, nm-openvpn tries the connection, fails
  without notice in the UI and retries until I stop it. This ultimately
  causes my account to get locked out for too many invalid auth
  attempts.

  sanitized/censored from syslog:
  Nov 27 09:11:06 carbon NetworkManager[1173]: nm-openvpn-Message: 
openvpn[4971] started
  Nov 27 09:11:06 carbon nm-openvpn[4971]: OpenVPN 2.3.10 x86_64-pc-linux-gnu 
[SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
  Nov 27 09:11:07 carbon nm-openvpn[4971]: library versions: OpenSSL 1.0.2g  1 
Mar 2016, LZO 2.08
  Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: No server certificate 
verification method has been enabled.  See http://openvpn.net/howto.html#mitm 
for more info.
  Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: the current --script-security 
setting may allow this configuration to call user-defined scripts
  Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: file 
'/home/myusername/Downloads/certs/ta.key' is group or others accessible
  Nov 27 09:11:07 carbon nm-openvpn[4971]: Control Channel Authentication: 
using '/home/myusername/Downloads/certs/ta.key' as a OpenVPN static key file
  Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: chroot will be delayed because 
of --client, --pull, or --up-delay
  Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: UID/GID downgrade will be 
delayed because of --client, --pull, or --up-delay
  Nov 27 09:11:07 carbon nm-openvpn[4971]: UDPv4 link local: [undef]
  Nov 27 09:11:07 carbon nm-openvpn[4971]: UDPv4 link remote: 
[AF_INET]10.0.28.166:1195
  Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: this cipher's block size is 
less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
  Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: this cipher's block size is 
less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
  Nov 27 09:11:07 carbon nm-openvpn[4971]: [VPNGate.example.com] Peer 
Connection Initiated with [AF_INET]10.0.28.166:1195
  Nov 27 09:11:10 carbon nm-openvpn[4971]: AUTH: Received control message: 
AUTH_FAILED
  Nov 27 09:11:10 carbon nm-openvpn[4971]: SIGUSR1[soft,auth-failure] received, 
process restarting
  Nov 27 09:11:10 carbon NetworkManager[1173]: (nm-openvpn-service:4894): 
nm-openvpn-WARNING **: Password verification failed
  Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: No server certificate 
verification method has been enabled.  See http://openvpn.net/howto.html#mitm 
for more info.
  Nov 27 09:11:12 carbon nm-openvpn[4971]: NOTE: the current --script-security 
setting may allow this configuration to call user-defined scripts
  Nov 27 09:11:12 carbon nm-openvpn[4971]: UDPv4 link local: [undef]
  Nov 27 09:11:12 carbon nm-openvpn[4971]: UDPv4 link remote: 
[AF_INET]10.0.28.166:1195
  Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: this cipher's block size is 
less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
  Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: this cipher's block size is 
less than 128 bit (64 bit).  Consider using a --cipher with a larger block size.
  Nov 27 09:11:12 carbon nm-openvpn[4971]: [VPNGate.example.com] Peer 
Connection Initiated with [AF_INET]10.0.28.166:1195
  Nov 27 09:11:15 carbon nm-openvpn[4971]: AUTH: Received control message: 
AUTH_FAILED
  Nov 27 09:11:15 carbon nm-openvpn[4971]: SIGUSR1[soft,auth-failure] received, 
process restarting
  ...
  ...
  [eventually I caught on to what was happening and stopped it]
  ...
  ...
  Nov 27 09:12:00 carbon NetworkManager[1173]: nm-openvpn-Message: 
openvpn[4971]: send SIGTERM
  Nov 27 09:12:00 carbon nm-openvpn[4971]: event_wait : Interrupted system call 
(code=4)
  Nov 27 09:12:00 carbon nm-openvpn[4971]: SIGTERM[hard,] received, process 
exiting
  Nov 27 09:12:00 carbon NetworkManager[1173]: nm-openvpn-Message: 
openvpn[4971] exited with success

  
  (and yes, I know I should fix the cipher and key file permissions)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1734735/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1734735] Re: [xenial] nm-openvpn continuously retries with bad password after receiving AUTH_FAIL locking out my account

Reply via email to