Bugzilla – Bug 1217054
systemd-ask-password spawned by openvpn does not read password from credentials
Last modified: 2023-11-30 16:11:45 UTC
systemd-ask-password's manpage states: --credential= Configure a credential to read the password from – if it exists. This may be used in conjunction with the ImportCredential=, LoadCredential= and SetCredential= settings in unit files. See systemd.exec(5) for details. If not specified, defaults to "password". This option has no effect if no credentials directory is passed to the program (i.e. $CREDENTIALS_DIRECTORY is not set) or if the no credential of the specified name exists. When a service is overrided with: [Service] LoadCredential=password:/etc/openvpn/remote.pin Then this does not actually work with the service, and causes systemd-ask-password to hang: # systemctl status openvpn@remote ● openvpn@remote.service - OpenVPN tunneling daemon instance using /etc/openvpn/remote.conf Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; preset: disabled) Drop-In: /etc/systemd/system/openvpn@remote.service.d └─override.conf Active: active (running) since Mon 2023-11-13 15:32:46 AEST; 1s ago Main PID: 2365 (openvpn) Status: "Pre-connection initialization successful" Tasks: 2 (limit: 2314) CPU: 37ms CGroup: /system.slice/system-openvpn.slice/openvpn@remote.service ├─2365 /usr/sbin/openvpn --daemon openvpn@remote --writepid /run/openvpn/remote.pid --cd /etc/openvpn/ --config remote.conf └─2367 /usr/bin/systemd-ask-password --icon network-vpn "Enter remote token Password:" Expected Results: systemd-ask-password to read from the Credentials as specified by LoadCredential systemd-254.5-5.1.x86_64
(In reply to William Brown from comment #0) > Expected Results: systemd-ask-password to read from the Credentials as > specified by LoadCredential For that openvpn would need to pass '--credential=' to systemd-ask-password, no ? I don't think this is currently implemented by openvpn.
That's the problem, the man page says otherwise. --credential= Configure a credential to read the password from – if it exists. This may be used in conjunction with the ImportCredential=, LoadCredential= and SetCredential= settings in unit files. See systemd.exec(5) for details. If not specified, defaults to "password". This option has no effect if no credentials directory is passed to the program (i.e. $CREDENTIALS_DIRECTORY is not set) or if the no credential of the specified name exists. Specifically: "If not specified, defaults to "password"." So this means anycall to systemd-ask-password *should* be triggering a call to credentials to read from the key password. The behaviour in reality is that it's not doing this. So either the wording in the man page is confusing and incorrect, or there is a bug in systemd-ask-password not triggering the correct call to the credentials api.
Can you give the following service a test: $ systemctl cat test-cred.service # /etc/systemd/system/test-cred.service [Service] LoadCredential=password:/etc/openvpn/remote.pin ExecStart=systemd-ask-password "remote mdp" Type=oneshot In the journal you should see something like this: > Nov 27 12:12:26 localhost.localdomain systemd[1]: Starting test-cred.service... > Nov 27 12:12:36 localhost.localdomain bash[61997]: foo > Nov 27 12:12:36 localhost.localdomain systemd[1]: test-cred.service: Deactivated successfully. Assuming that the content of /etc/openvpn/remote.pin is "foo".
If the previous test works as expected then please enable the debug logs (with `systemctl log-level debug`) and try again with the openvpn service and attach the relevant parts of the journal. Thanks.
The test you linked passed. My guess could be at this point that openvpn isn't passing through the environment properly to the systemd-ask-password command? Here are the logs: (sd-mkdcr[7310]: Moving mount /dev/shm → /run/credentials/openvpn@remote.service (MS_MOVE "")... (openvpn)[7309]: (sd-mkdcreds) succeeded. (openvpn)[7309]: Bind-mounting / on /run/systemd/mount-rootfs (MS_BIND|MS_REC "")... (openvpn)[7309]: Applying namespace mount on /run/systemd/mount-rootfs/run/credentials (openvpn)[7309]: Mounting tmpfs (tmpfs) on /run/systemd/mount-rootfs/run/credentials (MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_STRICTATIME "mode=0755,size=4m,nr_inodes=1k")... (openvpn)[7309]: Applying namespace mount on /run/systemd/mount-rootfs/run/credentials/openvpn@remote.service (openvpn)[7309]: Followed source symlinks /run/credentials/openvpn@remote.service → /run/credentials/openvpn@remote.service. (openvpn)[7309]: Bind-mounting /run/credentials/openvpn@remote.service on /run/systemd/mount-rootfs/run/credentials/openvpn@remote.service (MS_BIND "")... (openvpn)[7309]: Failed to mount /run/credentials/openvpn@remote.service (type n/a) on /run/systemd/mount-rootfs/run/credentials/openvpn@remote.service (MS_BIND ""): No such file or directory (openvpn)[7309]: Bind-mounting /run/credentials/openvpn@remote.service on /run/systemd/mount-rootfs/run/credentials/openvpn@remote.service (MS_BIND "")... (openvpn)[7309]: Successfully mounted /run/credentials/openvpn@remote.service to /run/systemd/mount-rootfs/run/credentials/openvpn@remote.service (openvpn)[7309]: Applying namespace mount on /run/systemd/mount-rootfs/run/systemd/incoming (openvpn)[7309]: Followed source symlinks /run/systemd/propagate/openvpn@remote.service → /run/systemd/propagate/openvpn@remote.service. (openvpn)[7309]: Bind-mounting /run/systemd/propagate/openvpn@remote.service on /run/systemd/mount-rootfs/run/systemd/incoming (MS_BIND "")... (openvpn)[7309]: Successfully mounted /run/systemd/propagate/openvpn@remote.service to /run/systemd/mount-rootfs/run/systemd/incoming (openvpn)[7309]: Applying namespace mount on /run/systemd/mount-rootfs/tmp (openvpn)[7309]: Bind-mounting /tmp/systemd-private-d9ef3f21b89649a9ae4cb7a29610f6c5-openvpn@remote.service-SOmjpc/tmp on /run/systemd/mount-rootfs/tmp (MS_BIND|MS_REC "")... (openvpn)[7309]: Successfully mounted /tmp/systemd-private-d9ef3f21b89649a9ae4cb7a29610f6c5-openvpn@remote.service-SOmjpc/tmp to /run/systemd/mount-rootfs/tmp (openvpn)[7309]: Applying namespace mount on /run/systemd/mount-rootfs/var/tmp (openvpn)[7309]: Bind-mounting /var/tmp/systemd-private-d9ef3f21b89649a9ae4cb7a29610f6c5-openvpn@remote.service-IbI8Rj/tmp on /run/systemd/mount-rootfs/var/tmp (MS_BIND|MS_REC "")... (openvpn)[7309]: Successfully mounted /var/tmp/systemd-private-d9ef3f21b89649a9ae4cb7a29610f6c5-openvpn@remote.service-IbI8Rj/tmp to /run/systemd/mount-rootfs/var/tmp (openvpn)[7309]: openvpn@remote.service: Executing: /usr/sbin/openvpn --daemon openvpn@remote --writepid /run/openvpn/remote.pid --cd /etc/openvpn/ --config remote.conf openvpn@remote[7309]: WARNING: file '/etc/openvpn/remote.pin' is group or others accessible openvpn@remote[7309]: OpenVPN 2.6.8 x86_64-suse-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] openvpn@remote[7309]: library versions: OpenSSL 3.1.4 24 Oct 2023, LZO 2.10 systemd[1]: openvpn@remote.service: Got notification message from PID 7309 (READY=0) openvpn@remote[7309]: PKCS#11: Adding PKCS#11 provider '/usr/lib64/pkcs11/libtpm2_pkcs11.so' openvpn[7309]: INFO on line: "393" in file: "src/pkcs11.c": enter "C_GetFunctionList" openvpn[7309]: INFO on line: "393" in file: "src/pkcs11.c": return "C_GetFunctionList" value: 0 openvpn[7309]: INFO on line: "381" in file: "src/pkcs11.c": enter "C_Initialize" openvpn[7309]: INFO on line: "41" in file: "src/lib/backend.c": Initializing backends openvpn[7309]: INFO on line: "116" in file: "src/lib/backend_fapi.c": Calling Fapi_Initialize openvpn[7309]: ERROR:fapi:src/tss2-fapi/ifapi_config.c:202:expand_home() Home directory can't be determined. openvpn[7309]: ERROR:fapi:src/tss2-fapi/ifapi_config.c:275:ifapi_config_initialize_finish() Expand home directory. ErrorCode (0x0006001d) openvpn[7309]: ERROR:fapi:src/tss2-fapi/api/Fapi_Initialize.c:198:Fapi_Initialize_Finish() Could not finish initialization ErrorCode (0x0006001d) openvpn[7309]: WARNING on line: "37" in file: "src/lib/backend_fapi.c": Listing FAPI token objects failed: "fapi:The provided path is bad" openvpn[7309]: Please see https://github.com/tpm2-software/tpm2-pkcs11/blob/1.9.0/docs/FAPI.md for more details openvpn[7309]: WARNING on line: "56" in file: "src/lib/backend.c": FAPI backend was not initialized. openvpn[7309]: INFO on line: "1325" in file: "src/lib/db.c": using TPM2_PKCS11_STORE="/etc/openvpn/pkcs11/tpm2_pkcs11.sqlite3" openvpn[7309]: INFO on line: "2626" in file: "src/lib/db.c": Using sqlite3 DB: "/etc/openvpn/pkcs11/tpm2_pkcs11.sqlite3" openvpn[7309]: INFO on line: "2584" in file: "src/lib/db.c": No DB upgrade needed openvpn[7309]: INFO on line: "462" in file: "src/lib/tpm.c": tcti=device:/dev/tpmrm0 openvpn[7309]: INFO on line: "412" in file: "src/lib/mech.c": Updating mech detail table that PSS signatures are: good openvpn[7309]: INFO on line: "186" in file: "src/lib/backend.c": Esysdb returned 1 token openvpn[7309]: INFO on line: "462" in file: "src/lib/tpm.c": tcti=device:/dev/tpmrm0 openvpn[7309]: INFO on line: "234" in file: "src/lib/backend.c": Esysdb + FAPI returned 2 token openvpn[7309]: INFO on line: "381" in file: "src/pkcs11.c": return "C_Initialize" value: 0 openvpn[7309]: INFO on line: "389" in file: "src/pkcs11.c": enter "C_GetInfo" openvpn[7309]: INFO on line: "389" in file: "src/pkcs11.c": return "C_GetInfo" value: 0 systemd[1]: openvpn@remote.service: Got notification message from PID 7309 (READY=1, STATUS=Pre-connection initialization successful, MAINPID=7309) systemd[1]: openvpn@remote.service: Changed start -> running systemd[1]: openvpn@remote.service: Job 1848 openvpn@remote.service/start finished, result=done systemd[1]: Started OpenVPN tunneling daemon instance using /etc/openvpn/remote.conf. systemd[1]: openvpn@remote.service: Failed to send unit change signal for openvpn@remote.service: Connection reset by peer openvpn@remote[7309]: Diffie-Hellman initialized with 2048 bit key openvpn[7309]: INFO on line: "397" in file: "src/pkcs11.c": enter "C_GetSlotList" openvpn[7309]: INFO on line: "397" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0 openvpn[7309]: INFO on line: "397" in file: "src/pkcs11.c": enter "C_GetSlotList" openvpn[7309]: INFO on line: "397" in file: "src/pkcs11.c": return "C_GetSlotList" value: 0 openvpn[7309]: INFO on line: "405" in file: "src/pkcs11.c": enter "C_GetTokenInfo" openvpn[7309]: INFO on line: "405" in file: "src/pkcs11.c": return "C_GetTokenInfo" value: 0 openvpn[7309]: INFO on line: "433" in file: "src/pkcs11.c": enter "C_OpenSession" openvpn[7309]: INFO on line: "433" in file: "src/pkcs11.c": return "C_OpenSession" value: 0
(In reply to William Brown from comment #5) > The test you linked passed. > > My guess could be at this point that openvpn isn't passing through the > environment properly to the systemd-ask-password command? Good guess. openvpn spawns systemd-ask-password with an empty environment however $CREDENTIALS_DIRECTORY, exported by systemd when spawning openvpn, must be passed down to systemd-ask-password in order to make the credentials stuff work. Reassigning to openvpn maintainer. Mohd, I don't know whether openvpn really wants to support systemd credentials, I'll let you figure it out.