Bug in OpenVPN user/pass auth

danmac

OK so I just couldn't wait any longer, the release of 2.2 RC just got too tempting. Upgraded from 2.1.5 on i386. Running among other things, OpenVPN.

The upgrade went smooth as butter, a real credit to the hard working team. I did spot "Out of file descriptors" on the console shortly before the post-upgrade reboot, but this seems to have been inconsequential.

However, I noticed what I would call a bug (!) when attempting to connect via OpenVPN after the upgrade. One of the user passwords begins with a space. This confuses 2.2, and refuses to authenticate, whereas 2.1 has always worked fine.

Authentication into the web console is not affected.

Spaces after the first character do not cause any problems. (haven't tried a trailing one, though)

Please let me know if I can give any further details or assistance with testing etc. If not, let me just say "you guys rock!" and leave it at that :)

Cheers,

Dan.

jimp

Are these local users? RADIUS users? LDAP users?

The method for reading the password from OpenVPN hasn't changed from one version to the next, but other things may have changed in the authentication path.

eri--

A fix was pushed for this.

meteotest

This is still somewhat of an issue as of today's (2.2-RC (amd64) built on Mon Dec 22 01:05:39 CST 2014) version:

If the password ends on a special character ("+" in my case) authentication fails with```
Mon Dec 22 10:24:17 2014 AUTH: Received control message: AUTH_FAILED
Mon Dec 22 10:24:17 2014 SIGUSR1[soft,auth-failure] received, process restarting

The same password is accepted for GUI-logins. This is with local users.

meteotest

Still an issue as of  today's (2.2-RC (amd64) built on Tue Dec 23 05:11:07 CST 2014 ) version.

danmac

Sorry :( I thought I was subscribed to email notifications … :/

This is affecting local users for me - I haven't tried with LDAP etc.

I'm having unrelated problems (random hangs) introduced by the 2.2 RC so will be upgrading to latest snapshot in a day or two. Is it worth me testing to see if this problem remains?

meteotest

still an issue as of today's version (2.2-RC (amd64) built on Sun Jan 04 18:53:21 CST 2015).

Submitted to bugtracker. https://redmine.pfsense.org/issues/4177

meteotest

And it's fixed :) thanks a lot.

danmac

Thanks to the devs for nailing this, and to meteotest for the heads up :)