Summary: | [RFE] [OpenVPN] kdeplasma-applets-plasma-nm does not support OTP Tokens for OpenVPN connections | ||
---|---|---|---|
Product: | [Plasma] plasma-nm | Reporter: | vst <slava18+bugs> |
Component: | general | Assignee: | Unassigned bugs mailing-list <unassigned-bugs> |
Status: | CONFIRMED --- | ||
Severity: | wishlist | CC: | adeptsmail, alex765, austin0198, brylie, dev, djsorinel, dnelubin, etherpulse, fapg, forceuserz, gbd.lin, hockeymikey, inigohuguet, jgrulich, jiri.tyr, kde, keplicz, lamarque, m.seifert, nils.van-zuijlen, nrndda, petrbarton2, ph, sidpranjale127, tore, vincent, yauhen.vasileusky |
Priority: | NOR | ||
Version: | 5.24.5 | ||
Target Milestone: | --- | ||
Platform: | openSUSE | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: |
Description
vst
2015-07-22 20:23:42 UTC
Does it work in Gnome? I wonder whether NM OpenVpn plugins supports this, otherwise there is nothing to implement until they add a support for that. It does not work in Gnome. Here's a bug report: https://bugzilla.gnome.org/show_bug.cgi?id=752740 But this may also be a client issue, I cannot tell. Then, as I said, we need to wait until it's supported by the VPN plugin, then adding a dialog for that should be easy. *** Bug 365807 has been marked as a duplicate of this bug. *** (In reply to vst from comment #2) > It does not work in Gnome. Here's a bug report: > https://bugzilla.gnome.org/show_bug.cgi?id=752740 > But this may also be a client issue, I cannot tell. It looks like [1] this has been implemented in networkmanager-openvpn 1.2.8. By what I can see in the implementation we do not need to change anything in Plasma NM for it to work. Can you upgrade networkmanager-openvpn an check if it works for you? [1] https://bugzilla.gnome.org/show_bug.cgi?id=751842 Unfortunately I cannot test this now, because I don't have access to an OTP-enabled OpenVPN server. (In reply to Lamarque V. Souza from comment #5) > (In reply to vst from comment #2) > > It does not work in Gnome. Here's a bug report: > > https://bugzilla.gnome.org/show_bug.cgi?id=752740 > > But this may also be a client issue, I cannot tell. > > It looks like [1] this has been implemented in networkmanager-openvpn 1.2.8. > By what I can see in the implementation we do not need to change anything in > Plasma NM for it to work. Can you upgrade networkmanager-openvpn an check if > it works for you? > > [1] https://bugzilla.gnome.org/show_bug.cgi?id=751842 Unfortunately, it does not work. Gnome is properly showing pop-up for oauth token, but KDE doesn't. VPN is just stuck at connecting after providing password and timeouts after some time. No popup for token is shown... It may be relevant to bug in Gnome - if you set your password to be remembered between connections, it will automatically fill OAuth prompt with your password and also save OAuth token as your password if you fill it in... Maybe on KDE side it tries to fill in previously typed password as OAuth token instead of asking for one? Can confirm that this is still affecting plasma-nm 5.15.4 on Kubuntu 19.04. I use VPN daily for work, and as a result have to resort to downloading/installing VPN client. While it is not too difficult to use a third-party client, it would be nice if the OS VPN manager would handle OTP -- as it is becoming increasingly important to use two-factor authentication. Support for OTP tokens will be in Plasma 5.16.0. Is this really changed in OpenVPN? I can see only changes affecting openconnect VPN in the source code... Sorry, it's really openconnect for now. *** This bug has been confirmed by popular vote. *** I can also confirm this behavior. In GNOME the challenge pops up just as expected, but on KDE there is only asked for the password and then the connection fails, since the OTP was not provided. Is there any work already done on this? Same here seems to work in kde an i get the following error in syslog : ------ Feb 20 18:07:32 XXXX-Latitude-E7270 nm-openvpn[16556]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]XXX.XXX.XX.XXX:1194 Feb 20 18:07:34 XXXX-Latitude-E7270 nm-openvpn[16556]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:XXXXX==:Enter Google Authenticator Code Feb 20 18:07:34 XXX-Latitude-E7270 NetworkManager[1574]: <warn> [1582214854.1904] vpn-connection[0x556548b62520,d3ef7923-c5e2-4361-9c9e-4a544fe2f016,"XXXX_vpn",0]: VPN plugin: failed: login-failed (0) ------ Still present in plasma-nm 5.19.5-1, networkmanager-openvpn 1.8.12-1.
journalctl --unit nm-openvp --unit NetworkManager:
> [ 6072.762200] NetworkManager[540]: <info> [1600605261.6491] vpn-connection[...]: Started the VPN service, PID 6707
> [ 6072.768125] NetworkManager[540]: <info> [1600605261.6551] vpn-connection[...]: Saw the service appear; activating connection
> [ 6077.270378] NetworkManager[540]: <info> [1600605266.1573] vpn-connection[...]: VPN plugin: state changed: starting (3)
> [ 6077.274301] nm-openvpn[6714]: OpenVPN 2.4.9 [git:makepkg/9b0dafca6c50b8bb+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 20 2020
> [ 6077.274343] nm-openvpn[6714]: library versions: OpenSSL 1.1.1g 21 Apr 2020, LZO 2.10
> [ 6077.480234] nm-openvpn[6714]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
> [ 6077.480658] nm-openvpn[6714]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
> [ 6078.480644] nm-openvpn[6714]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
> [ 6078.481944] nm-openvpn[6714]: TCP_CLIENT link local: (not bound)
> [ 6078.482115] nm-openvpn[6714]: TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
> [ 6078.482256] nm-openvpn[6714]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
> [ 6078.760194] nm-openvpn[6714]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:443
> [ 6085.258042] nm-openvpn[6714]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:XXXXXXXX:YYYYYYYYY:Enter your one time password
> [ 6085.259484] nm-openvpn[6714]: SIGUSR1[soft,auth-failure] received, process restarting
> [ 6085.259707] NetworkManager[540]: <warn> [1600605274.1461] vpn-connection[...]: VPN plugin: failed: login-failed (0)
> [ 6085.260683] nm-openvpn[6714]: SIGTERM[hard,init_instance] received, process exiting
> [ 6085.260907] NetworkManager[540]: <warn> [1600605274.1463] vpn-connection[...]: VPN plugin: failed: connect-failed (1)
> [ 6085.261142] NetworkManager[540]: <info> [1600605274.1465] vpn-connection[...]: VPN plugin: state changed: stopping (5)
> [ 6085.261415] NetworkManager[540]: <info> [1600605274.1470] vpn-connection[...]: VPN plugin: state changed: stopped (6)
> [ 6085.268077] NetworkManager[540]: <info> [1600605274.1550] vpn-connection[...]: VPN service disappeared
I'm using Fedora 33 with plasma-nm-5.20.5-1.fc33.x86_64 and I can also confirm this behavior. In GNOME the challenge pops up just as expected, but on KDE there is only asked for the password and then the connection fails, since the OTP was not provided. Best Regards, Can you try whether https://invent.kde.org/plasma/plasma-nm/-/merge_requests/67 makes any difference? (In reply to Jan Grulich from comment #17) > Can you try whether > https://invent.kde.org/plasma/plasma-nm/-/merge_requests/67 makes any > difference? Doesn't for me. Hi, With plasma-nm-5.23.5-1.fc35.x86_64 the dialog appear correctly. Best Regards, Fernando Gomes (In reply to Fernando Gomes from comment #19) > With plasma-nm-5.23.5-1.fc35.x86_64 the dialog appear correctly. Not for I. I am on 5.23.5-1 (Arch) It also works for me now I have 5.24.0-1.1 (opensuse) imho this can be closed On Plasma 5.24.5 is not working. It looks like it doesn't take into consideration the static-challenge "TOTP SSO:" 1 option. Is seems the bug is still there plasma-nm 4:6.0.4-0xneon+22.04+jammy+release+build39 No OTP popup appears journalctl -u -f NetworkManager nm-openvpn[65369]: TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:* nm-openvpn[65369]: UDP link local: (not bound) nm-openvpn[65369]: UDP link remote: [AF_INET]*.*.*.*:* nm-openvpn[65369]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]*.*.*.*:* nm-openvpn[65369]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:PG_6K8dDiU5pfn36Iu6:ZXh0ZXJuYWwuZXZnZW5peS52YXNpbGV2c2tpeQ==:Enter Authenticator Code nm-openvpn[65369]: SIGUSR1[soft,auth-failure] received, process restarting NetworkManager[958]: <warn> [1713779336.9853] vpn[0x6167e3a58880,e2969ec5-4f11-49f5-9075-83ae7b0ed30e,"VPN (openvpn)"]: connect timeout exceeded nm-openvpn-serv[65365]: Connect timer expired, disconnecting. nm-openvpn[65369]: SIGTERM[hard,init_instance] received, process exiting We are adding some patches to NetworkManager that I expect that will make this to work from KDE Plasma without any change required. It will need at least NetworkManager 1.46.2 and NetworkManager-openvpn 1.12.0 (tentative, but probable versions). NetworkManager MR: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1958 the OTP pop up does not seem to appear on Fedora 40, NetworkManager version 1.46.2 and networkmanager-openvpn version 1.12.0 Is there anything that needs to be changed in the VPN config for this to work? |