Unusable Password - Bad Characters?


  • One of my OpenVPN clients began repeatedly failing the user/pass auth after my recently updated to 2.2-RELEASE (I know, I am really behind on this one…).

    Symptoms: Viscosity client repeatedly prompts for password upon connection attempt. This was working prior to the v2.2 update and is now consistently failing.

    Client:

    Feb 19 03:13:38: Checking reachability status of connection...
    Feb 19 03:13:38: Connection is reachable. Starting connection attempt.
    Feb 19 03:13:39: OpenVPN 2.3.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Dec  2 2014
    Feb 19 03:13:39: library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.06
    Feb 19 03:13:40: Control Channel Authentication: using 'C:\Program Files\Common Files\Viscosity\OpenVPNConfig\xxxxx\1\ta.key' as a OpenVPN static key file
    Feb 19 03:13:40: UDPv4 link local (bound): [undef]
    Feb 19 03:13:40: UDPv4 link remote: [AF_INET]xx.xx.xx.xx:xx
    Feb 19 03:13:40: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Feb 19 03:13:47: [FQDN] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:xx
    Feb 19 03:13:49: AUTH: Received control message: AUTH_FAILED
    Feb 19 03:13:50: SIGUSR1[soft,auth-failure] received, process restarting
    

    Server:

    Feb 19 15:13:47 	openvpn[59912]: xx.xx.xx.xx:43425 [WorkDesktop] Peer Connection Initiated with [AF_INET]xx.xx.xx.xx:43425
    Feb 19 15:13:47 	openvpn[59912]: xx.xx.xx.xx:43425 TLS Auth Error: Auth Username/Password verification failed for peer
    Feb 19 15:13:47 	openvpn[59912]: xx.xx.xx.xx:43425 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
    Feb 19 15:13:47 	openvpn: user 'WorkDesktop' could not authenticate.
    

    The issue appears to be related to the chosen password. Creating a new password allows the client to authenticate. Changing back to the old password recreates the issue. (I am changing the password in both the pfSense user manager and in the client).

    The offending password is as follows:```
    Sr>6v5MopZ1{55EV,jR!oVw&iJ&}/IPc

    
    My OpenVPN config user certs and credentials for clients.
    
    I was able to login to the GUI using the password, so it may be limited to OpenVPN.
    
    Is there something wrong with my password? Invalid characters?
    
    Thanks!
    -Scott
  • Banned


  • Thanks! I searched, but didn't find this.

    -Scott


  • I'm not sure where to post this, but bug 4177 is marked "Resolved" but it isn't.

    The line in ovpn_auth_verify doesn't handle the base64 encoding properly.  It should be:

    password=$(echo -n "${password}" | openssl enc -base64 | sed -e 's/=/%3D/g' | sed -e 's/+/%2B/g' | sed -e 's_/_%2F_g')

    Or if you want the sed all on one line:
    sed -e 's_=%3D_g;s+%2B_g;s/_%2F_g'

    Try the password: "00>00?0" to test.

    Thanks