OpenVPN
pkcs11 forces stdin pin prompt
Describe the bug When configuring openvpn server with pkcs11 a pin is required to access the token. Due to how this pin is requested, openvpn only will satisfy the password from stdin or systemd-ask-password - neither of which work very well for systems where you want to automatically unlock the key/cert.
To Reproduce
- Configure pkcs11 with
pkcs11-protected-authentication 0 - Restart openvpn
- Pin is requested from stdin / systemd-ask-password
Expected behavior
That the pin could be supplied via askpass or a similar pkcs11-pin file.
Version information (please complete the following information):
- OS: OpenSUSE Tumbleweed
- OpenVPN version: openvpn-2.6.6-1.1.x86_64.rpm
Additional context
Backtrace from openvpn during password request.
(lldb) bt
* thread #1, name = 'openvpn', stop reason = signal SIGSTOP
* frame #0: 0x00007f1c96300ad7 libc.so.6`wait4 + 25
frame #1: 0x000056454f80e36c openvpn`openvpn_popen(a=<unavailable>, es=<unavailable>) at run_command.c:264:21
frame #2: 0x000056454f7cdded openvpn`query_user_exec at console_systemd.c:76:20
frame #3: 0x000056454f7cdd67 openvpn`query_user_exec at console_systemd.c:113:14
frame #4: 0x000056454f7ce8a9 openvpn`get_user_pass_cr at console_systemd.c:54:12
frame #5: 0x000056454f7ce888 openvpn`get_user_pass_cr(up=0x00007ffe96885250, auth_file=<unavailable>, prefix="remote token", flags=21, auth_challenge=0x0000000000000000) at misc.c:337:22
frame #6: 0x000056454f7e1fb4 openvpn`_pkcs11_openvpn_pin_prompt [inlined] get_user_pass(flags=21, prefix="remote token", auth_file=0x0000000000000000, up=0x00007ffe96885250) at misc.h:135:12
frame #7: 0x000056454f7e1faf openvpn`_pkcs11_openvpn_pin_prompt(global_data=<unavailable>, user_data=<unavailable>, token=<unavailable>, retry=<unavailable>, pin="\U00000010y\x88\x96\xfe\U0000007f", pin_max=1024) at pkcs11.c:256:10
frame #8: 0x00007f1c96cf33c0 libpkcs11-helper.so.1`___lldb_unnamed_symbol353 + 608
frame #9: 0x00007f1c96cf47a1 libpkcs11-helper.so.1`___lldb_unnamed_symbol361 + 273
frame #10: 0x00007f1c96cf5466 libpkcs11-helper.so.1`___lldb_unnamed_symbol364 + 118
frame #11: 0x00007f1c96cf806a libpkcs11-helper.so.1`pkcs11h_certificate_getCertificateBlob + 1226
frame #12: 0x00007f1c96cffa1c libpkcs11-helper.so.1`pkcs11h_openssl_getX509 + 124
frame #13: 0x000056454f7e2e35 openvpn`xkey_load_from_pkcs11h(certificate=0x000056455154e850, ctx=0x00007ffe9688aef8) at pkcs11_openssl.c:284:18
frame #14: 0x000056454f7e3035 openvpn`tls_ctx_use_pkcs11 [inlined] pkcs11_init_tls_session(ssl_ctx=<unavailable>, certificate=<unavailable>) at pkcs11_openssl.c:335:13
frame #15: 0x000056454f7e3030 openvpn`tls_ctx_use_pkcs11(ssl_ctx=<unavailable>, pkcs11_id_management=<unavailable>, pkcs11_id="IBM/SW\\x20\\x20\\x20TPM/0000000000000000/remote/32313039303063653831663432323865") at pkcs11.c:782:10
frame #16: 0x000056454f816abc openvpn`init_ssl at ssl.c:720:14
frame #17: 0x000056454f7c45d4 openvpn`do_init_crypto_tls at init.c:3153:9
frame #18: 0x000056454f7c5d08 openvpn`init_instance at init.c:3527:9
frame #19: 0x000056454f7d9aef openvpn`tunnel_server_tcp at init.c:4428:5
frame #20: 0x000056454f7e3d79 openvpn`openvpn_main(argc=<unavailable>, argv=<unavailable>) at openvpn.c:319:25
frame #21: 0x000056454f79fb7b openvpn`main(argc=<unavailable>, argv=<unavailable>) at openvpn.c:396:12
frame #22: 0x00007f1c962281b0 libc.so.6`__libc_start_call_main + 130
frame #23: 0x00007f1c96228279 libc.so.6`__libc_start_main@@GLIBC_2.34 + 139
frame #24: 0x000056454f79fbb5 openvpn`_start at start.S:115
The important frame is 6, where auth_file is set to NULL meaning that openvpn will always proceed to request interactive pin entry.
A possible option is to have your call to systemd-ask-password call --credential so that if a systemd credential exists it can be used instead.
