Bug 350521 - [RFE] [OpenVPN] kdeplasma-applets-plasma-nm does not support OTP Tokens for OpenVPN connections
Summary: [RFE] [OpenVPN] kdeplasma-applets-plasma-nm does not support OTP Tokens for O...
Status: CONFIRMED
Alias: None
Product: plasma-nm
Classification: Plasma
Component: general (show other bugs)
Version: 5.24.5
Platform: openSUSE Linux
: NOR wishlist
Target Milestone: ---
Assignee: Unassigned bugs mailing-list
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-22 20:23 UTC by vst
Modified: 2024-10-23 07:22 UTC (History)
27 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description vst 2015-07-22 20:23:42 UTC
My company uses OTP with OpenVPN, so we have a three-factor authentication:
1) the private key
2) the username/password combination
3) an OTP token generated by Google Authenticator (on a separate prompt)

I use the kdeplasma-applets-plasma-nm package as my NM GUI, and it does not know how to respond to the OTP challenge.
Here is the documentation on the CHALLENGE/RESPONSE protocol (at the bottom of the page):
https://openvpn.net/index.php/open-source/documentation/miscellaneous/79-management-interface.html
It says client UIs should add explicit support for the challenge/response protocol. We use the 'dynamic' variation of the protocol, judging by the NM output in the logs.

Reproducible: Always

Steps to Reproduce:
1. Create an OpenVPN connection in the NM KDE Plasma applet
2. Start the connection
3. Have your key, username/password, OTP application ready

Actual Results:  
Jul 22 18:07:06 vst NetworkManager[23350]: <info>  Starting VPN service 'openvpn'...
Jul 22 18:07:06 vst NetworkManager[23350]: <info>  VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 14500
Jul 22 18:07:06 vst NetworkManager[23350]: <info>  VPN service 'openvpn' appeared; activating connections
Jul 22 18:07:06 vst NetworkManager[23350]: <info>  VPN plugin state changed: starting (3)
Jul 22 18:07:06 vst NetworkManager[23350]: <info>  VPN connection 'VPN OTP' (Connect) reply received.
Jul 22 18:07:06 vst nm-openvpn[14501]: OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014  
Jul 22 18:07:06 vst nm-openvpn[14501]: library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Jul 22 18:07:06 vst NetworkManager[23350]: nm-openvpn-Message: openvpn started with pid 14501
Jul 22 18:07:06 vst nm-openvpn[14501]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Jul 22 18:07:06 vst nm-openvpn[14501]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 
Jul 22 18:07:06 vst nm-openvpn[14501]: WARNING: file '/home/vst/ovpn3/vst.key' is group or others accessible
Jul 22 18:07:06 vst nm-openvpn[14501]: WARNING: file '/home/vst/ovpn3/ta.key' is group or others accessible
Jul 22 18:07:06 vst nm-openvpn[14501]: Control Channel Authentication: using '/home/vst/ovpn3/ta.key' as a OpenVPN static key file
Jul 22 18:07:06 vst nm-openvpn[14501]: UDPv4 link local: [undef] 
Jul 22 18:07:06 vst nm-openvpn[14501]: UDPv4 link remote: [AF_INET]ovpnhost:1194
Jul 22 18:07:08 vst nm-openvpn[14501]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]ovpnhost:1194
Jul 22 18:07:10 vst nm-openvpn[14501]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:VM2+d9zeWvqrTIgufNqZHGloeSAoTUbb:dnN0ZXRza2V2eWNo:OTP Token:
Jul 22 18:07:10 vst nm-openvpn[14501]: SIGUSR1[soft,auth-failure] received, process restarting
Jul 22 18:07:10 vst NetworkManager[23350]: <warn>  VPN plugin failed: login-failed (0)
Jul 22 18:07:10 vst NetworkManager[23350]: <info>  VPN plugin state changed: stopped (6)
Jul 22 18:07:10 vst NetworkManager[23350]: <info>  VPN plugin state change reason: login-failed (10)
Jul 22 18:07:10 vst NetworkManager[23350]: <warn>  error disconnecting VPN: Could not process the request because no VPN connection was active. 
Jul 22 18:07:10 vst NetworkManager[23350]: (nm-openvpn-service:14500): nm-openvpn-WARNING **: Password verification failed
Jul 22 18:07:30 vst NetworkManager[23350]: <info>  VPN service 'openvpn' disappeared

Expected Results:  
Here's a try with the official console client. Connects fine.
[root@vst ~]# openvpn --config /home/vst/ovpn3/ovpn3.conf
Wed Jul 22 23:01:55 2015 OpenVPN 2.3.6 x86_64-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Dec  2 2014
Wed Jul 22 23:01:55 2015 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09
Enter Auth Username: ************
Enter Auth Password: ***********************
CHALLENGE: OTP Token:
Response: ******
Wed Jul 22 23:02:16 2015 Control Channel Authentication: tls-auth using INLINE static key file
Wed Jul 22 23:02:16 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 22 23:02:16 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 22 23:02:16 2015 Socket Buffers: R=[212992->200000] S=[212992->200000]
Wed Jul 22 23:02:16 2015 UDPv4 link local: [undef]
Wed Jul 22 23:02:16 2015 UDPv4 link remote: [AF_INET]ovpnhost:1194
Wed Jul 22 23:02:16 2015 TLS: Initial packet from [AF_INET]ovpnhost:1194, sid=14519136 d810d773
Wed Jul 22 23:02:16 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Jul 22 23:02:19 2015 VERIFY OK: depth=1, CN=OpenVPN CA
Wed Jul 22 23:02:19 2015 VERIFY OK: nsCertType=SERVER
Wed Jul 22 23:02:19 2015 VERIFY OK: depth=0, CN=OpenVPN Server
...............  connection successful

Please fix the client so that it prompts for the challenge. Could use some kind of an askpass program maybe.
Comment 1 Jan Grulich 2015-07-23 14:25:55 UTC
Does it work in Gnome? I wonder whether NM OpenVpn plugins supports this, otherwise there is nothing to implement until they add a support for that.
Comment 2 vst 2015-07-23 14:29:42 UTC
It does not work in Gnome. Here's a bug report:
https://bugzilla.gnome.org/show_bug.cgi?id=752740
But this may also be a client issue, I cannot tell.
Comment 3 Jan Grulich 2015-07-23 14:33:28 UTC
Then, as I said, we need to wait until it's supported by the VPN plugin, then adding a dialog for that should be easy.
Comment 4 Jan Grulich 2016-07-18 11:08:39 UTC
*** Bug 365807 has been marked as a duplicate of this bug. ***
Comment 5 Lamarque V. Souza 2017-05-01 14:14:02 UTC
(In reply to vst from comment #2)
> It does not work in Gnome. Here's a bug report:
> https://bugzilla.gnome.org/show_bug.cgi?id=752740
> But this may also be a client issue, I cannot tell.

It looks like [1] this has been implemented in networkmanager-openvpn 1.2.8. By what I can see in the implementation we do not need to change anything in Plasma NM for it to work. Can you upgrade networkmanager-openvpn an check if it works for you?

[1] https://bugzilla.gnome.org/show_bug.cgi?id=751842
Comment 6 vst 2017-05-03 12:55:47 UTC
Unfortunately I cannot test this now, because I don't have access to an OTP-enabled OpenVPN server.
Comment 7 GwynBleidD 2018-09-13 09:54:25 UTC
(In reply to Lamarque V. Souza from comment #5)
> (In reply to vst from comment #2)
> > It does not work in Gnome. Here's a bug report:
> > https://bugzilla.gnome.org/show_bug.cgi?id=752740
> > But this may also be a client issue, I cannot tell.
> 
> It looks like [1] this has been implemented in networkmanager-openvpn 1.2.8.
> By what I can see in the implementation we do not need to change anything in
> Plasma NM for it to work. Can you upgrade networkmanager-openvpn an check if
> it works for you?
> 
> [1] https://bugzilla.gnome.org/show_bug.cgi?id=751842

Unfortunately, it does not work. Gnome is properly showing pop-up for oauth token, but KDE doesn't. VPN is just stuck at connecting after providing password and timeouts after some time. No popup for token is shown...

It may be relevant to bug in Gnome - if you set your password to be remembered between connections, it will automatically fill OAuth prompt with your password and also save OAuth token as your password if you fill it in... Maybe on KDE side it tries to fill in previously typed password as OAuth token instead of asking for one?
Comment 8 Brylie Christopher Oxley 2019-05-13 07:49:38 UTC
Can confirm that this is still affecting plasma-nm 5.15.4 on Kubuntu 19.04. I use VPN daily for work, and as a result have to resort to downloading/installing VPN client. While it is not too difficult to use a third-party client, it would be nice if the OS VPN manager would handle OTP -- as it is becoming increasingly important to use two-factor authentication.
Comment 9 Jan Grulich 2019-05-15 05:51:13 UTC
Support for OTP tokens will be in Plasma 5.16.0.
Comment 10 GwynBleidD 2019-05-15 08:54:12 UTC
Is this really changed in OpenVPN? I can see only changes affecting openconnect VPN in the source code...
Comment 11 Jan Grulich 2019-05-15 08:55:30 UTC
Sorry, it's really openconnect for now.
Comment 12 Michal Sylwester 2020-01-03 09:06:39 UTC
*** This bug has been confirmed by popular vote. ***
Comment 13 Vincent Scharf 2020-02-03 22:03:32 UTC
I can also confirm this behavior. In GNOME the challenge pops up just as expected, but on KDE there is only asked for the password and then the connection fails, since the OTP was not provided.

Is there any work already done on this?
Comment 14 DarkEye 2020-02-20 16:11:40 UTC
Same here seems to work in kde an  i get the following error in syslog :

------
Feb 20 18:07:32 XXXX-Latitude-E7270 nm-openvpn[16556]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]XXX.XXX.XX.XXX:1194
Feb 20 18:07:34 XXXX-Latitude-E7270 nm-openvpn[16556]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:XXXXX==:Enter Google Authenticator Code
Feb 20 18:07:34 XXX-Latitude-E7270 NetworkManager[1574]: <warn>  [1582214854.1904] vpn-connection[0x556548b62520,d3ef7923-c5e2-4361-9c9e-4a544fe2f016,"XXXX_vpn",0]: VPN plugin: failed: login-failed (0)
------
Comment 15 Jarno Malmari 2020-09-20 13:06:15 UTC
Still present in plasma-nm 5.19.5-1, networkmanager-openvpn 1.8.12-1.

journalctl --unit nm-openvp --unit NetworkManager:

> [ 6072.762200] NetworkManager[540]: <info>  [1600605261.6491] vpn-connection[...]: Started the VPN service, PID 6707
> [ 6072.768125] NetworkManager[540]: <info>  [1600605261.6551] vpn-connection[...]: Saw the service appear; activating connection
> [ 6077.270378] NetworkManager[540]: <info>  [1600605266.1573] vpn-connection[...]: VPN plugin: state changed: starting (3)
> [ 6077.274301] nm-openvpn[6714]: OpenVPN 2.4.9 [git:makepkg/9b0dafca6c50b8bb+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 20 2020
> [ 6077.274343] nm-openvpn[6714]: library versions: OpenSSL 1.1.1g  21 Apr 2020, LZO 2.10
> [ 6077.480234] nm-openvpn[6714]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:443
> [ 6077.480658] nm-openvpn[6714]: Attempting to establish TCP connection with [AF_INET]xxx.xxx.xxx.xxx:443 [nonblock]
> [ 6078.480644] nm-openvpn[6714]: TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:443
> [ 6078.481944] nm-openvpn[6714]: TCP_CLIENT link local: (not bound)
> [ 6078.482115] nm-openvpn[6714]: TCP_CLIENT link remote: [AF_INET]xxx.xxx.xxx.xxx:443
> [ 6078.482256] nm-openvpn[6714]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
> [ 6078.760194] nm-openvpn[6714]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:443
> [ 6085.258042] nm-openvpn[6714]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:XXXXXXXX:YYYYYYYYY:Enter your one time password
> [ 6085.259484] nm-openvpn[6714]: SIGUSR1[soft,auth-failure] received, process restarting
> [ 6085.259707] NetworkManager[540]: <warn>  [1600605274.1461] vpn-connection[...]: VPN plugin: failed: login-failed (0)
> [ 6085.260683] nm-openvpn[6714]: SIGTERM[hard,init_instance] received, process exiting
> [ 6085.260907] NetworkManager[540]: <warn>  [1600605274.1463] vpn-connection[...]: VPN plugin: failed: connect-failed (1)
> [ 6085.261142] NetworkManager[540]: <info>  [1600605274.1465] vpn-connection[...]: VPN plugin: state changed: stopping (5)
> [ 6085.261415] NetworkManager[540]: <info>  [1600605274.1470] vpn-connection[...]: VPN plugin: state changed: stopped (6)
> [ 6085.268077] NetworkManager[540]: <info>  [1600605274.1550] vpn-connection[...]: VPN service disappeared
Comment 16 Fernando Gomes 2021-01-23 00:20:02 UTC
I'm using Fedora 33 with plasma-nm-5.20.5-1.fc33.x86_64 and I can also confirm this behavior.
In GNOME the challenge pops up just as expected, but on KDE there is only asked for the password and then the connection fails, since the OTP was not provided.

Best Regards,
Comment 17 Jan Grulich 2021-07-21 09:25:10 UTC
Can you try whether https://invent.kde.org/plasma/plasma-nm/-/merge_requests/67 makes any difference?
Comment 18 hockeymikey 2022-01-31 01:38:06 UTC
(In reply to Jan Grulich from comment #17)
> Can you try whether
> https://invent.kde.org/plasma/plasma-nm/-/merge_requests/67 makes any
> difference?

Doesn't for me.
Comment 19 Fernando Gomes 2022-01-31 11:51:07 UTC
Hi,

 With plasma-nm-5.23.5-1.fc35.x86_64 the dialog appear correctly.

Best Regards,
Fernando Gomes
Comment 20 hockeymikey 2022-02-01 04:05:52 UTC
(In reply to Fernando Gomes from comment #19)
>  With plasma-nm-5.23.5-1.fc35.x86_64 the dialog appear correctly.


Not for I. I am on 5.23.5-1 (Arch)
Comment 21 Petr Barton 2022-02-15 12:34:20 UTC
It also works for me now
I have 5.24.0-1.1 (opensuse)

imho this can be closed
Comment 22 Popescu Sorin 2022-05-29 11:06:41 UTC
On Plasma 5.24.5 is not working. It looks like it doesn't take into consideration the static-challenge "TOTP SSO:" 1 option.
Comment 23 yauhen.vasileusky 2024-04-22 10:38:13 UTC
Is seems the bug is still there

plasma-nm 4:6.0.4-0xneon+22.04+jammy+release+build39

No OTP popup appears

journalctl -u -f NetworkManager

nm-openvpn[65369]: TCP/UDP: Preserving recently used remote address: [AF_INET]*.*.*.*:*
nm-openvpn[65369]: UDP link local: (not bound)
nm-openvpn[65369]: UDP link remote: [AF_INET]*.*.*.*:*
nm-openvpn[65369]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]*.*.*.*:*
nm-openvpn[65369]: AUTH: Received control message: AUTH_FAILED,CRV1:R,E:PG_6K8dDiU5pfn36Iu6:ZXh0ZXJuYWwuZXZnZW5peS52YXNpbGV2c2tpeQ==:Enter Authenticator Code
nm-openvpn[65369]: SIGUSR1[soft,auth-failure] received, process restarting
NetworkManager[958]: <warn>  [1713779336.9853] vpn[0x6167e3a58880,e2969ec5-4f11-49f5-9075-83ae7b0ed30e,"VPN (openvpn)"]: connect timeout exceeded
nm-openvpn-serv[65365]: Connect timer expired, disconnecting.
nm-openvpn[65369]: SIGTERM[hard,init_instance] received, process exiting
Comment 24 Íñigo 2024-06-05 08:33:58 UTC
We are adding some patches to NetworkManager that I expect that will make this to work from KDE Plasma without any change required. It will need at least NetworkManager 1.46.2 and NetworkManager-openvpn 1.12.0 (tentative, but probable versions).

NetworkManager MR: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1958
Comment 25 sidpranjale127 2024-10-23 07:22:15 UTC
the OTP pop up does not seem to appear on Fedora 40, NetworkManager version 1.46.2 and networkmanager-openvpn version 1.12.0

Is there anything that needs to be changed in the VPN config for this to work?