[xenial] nm-openvpn continuously retries with bad password after receiving AUTH_FAIL locking out my account
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
network-manager-openvpn (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
I have nm-openvpn configured via the network manager gui on Xenial with a saved password. My organization has a password expiration policy of X days. If I forgot to update the saved password for nm-openvpn and try to VPN in, nm-openvpn tries the connection, fails without notice in the UI and retries until I stop it. This ultimately causes my account to get locked out for too many invalid auth attempts.
sanitized/censored from syslog:
Nov 27 09:11:06 carbon NetworkManager[
Nov 27 09:11:06 carbon nm-openvpn[4971]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
Nov 27 09:11:07 carbon nm-openvpn[4971]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08
Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: No server certificate verification method has been enabled. See http://
Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: file '/home/
Nov 27 09:11:07 carbon nm-openvpn[4971]: Control Channel Authentication: using '/home/
Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Nov 27 09:11:07 carbon nm-openvpn[4971]: UDPv4 link local: [undef]
Nov 27 09:11:07 carbon nm-openvpn[4971]: UDPv4 link remote: [AF_INET]
Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Nov 27 09:11:07 carbon nm-openvpn[4971]: [VPNGate.
Nov 27 09:11:10 carbon nm-openvpn[4971]: AUTH: Received control message: AUTH_FAILED
Nov 27 09:11:10 carbon nm-openvpn[4971]: SIGUSR1[
Nov 27 09:11:10 carbon NetworkManager[
Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: No server certificate verification method has been enabled. See http://
Nov 27 09:11:12 carbon nm-openvpn[4971]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Nov 27 09:11:12 carbon nm-openvpn[4971]: UDPv4 link local: [undef]
Nov 27 09:11:12 carbon nm-openvpn[4971]: UDPv4 link remote: [AF_INET]
Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size.
Nov 27 09:11:12 carbon nm-openvpn[4971]: [VPNGate.
Nov 27 09:11:15 carbon nm-openvpn[4971]: AUTH: Received control message: AUTH_FAILED
Nov 27 09:11:15 carbon nm-openvpn[4971]: SIGUSR1[
...
...
[eventually I caught on to what was happening and stopped it]
...
...
Nov 27 09:12:00 carbon NetworkManager[
Nov 27 09:12:00 carbon nm-openvpn[4971]: event_wait : Interrupted system call (code=4)
Nov 27 09:12:00 carbon nm-openvpn[4971]: SIGTERM[hard,] received, process exiting
Nov 27 09:12:00 carbon NetworkManager[
(and yes, I know I should fix the cipher and key file permissions)
Status changed to 'Confirmed' because the bug affects multiple users.