Public bug reported: I have nm-openvpn configured via the network manager gui on Xenial with a saved password. My organization has a password expiration policy of X days. If I forgot to update the saved password for nm-openvpn and try to VPN in, nm-openvpn tries the connection, fails without notice in the UI and retries until I stop it. This ultimately causes my account to get locked out for too many invalid auth attempts.
sanitized/censored from syslog: Nov 27 09:11:06 carbon NetworkManager[1173]: nm-openvpn-Message: openvpn[4971] started Nov 27 09:11:06 carbon nm-openvpn[4971]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017 Nov 27 09:11:07 carbon nm-openvpn[4971]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: file '/home/myusername/Downloads/certs/ta.key' is group or others accessible Nov 27 09:11:07 carbon nm-openvpn[4971]: Control Channel Authentication: using '/home/myusername/Downloads/certs/ta.key' as a OpenVPN static key file Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Nov 27 09:11:07 carbon nm-openvpn[4971]: UDPv4 link local: [undef] Nov 27 09:11:07 carbon nm-openvpn[4971]: UDPv4 link remote: [AF_INET]10.0.28.166:1195 Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size. Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size. Nov 27 09:11:07 carbon nm-openvpn[4971]: [VPNGate.example.com] Peer Connection Initiated with [AF_INET]10.0.28.166:1195 Nov 27 09:11:10 carbon nm-openvpn[4971]: AUTH: Received control message: AUTH_FAILED Nov 27 09:11:10 carbon nm-openvpn[4971]: SIGUSR1[soft,auth-failure] received, process restarting Nov 27 09:11:10 carbon NetworkManager[1173]: (nm-openvpn-service:4894): nm-openvpn-WARNING **: Password verification failed Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 27 09:11:12 carbon nm-openvpn[4971]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 27 09:11:12 carbon nm-openvpn[4971]: UDPv4 link local: [undef] Nov 27 09:11:12 carbon nm-openvpn[4971]: UDPv4 link remote: [AF_INET]10.0.28.166:1195 Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size. Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size. Nov 27 09:11:12 carbon nm-openvpn[4971]: [VPNGate.example.com] Peer Connection Initiated with [AF_INET]10.0.28.166:1195 Nov 27 09:11:15 carbon nm-openvpn[4971]: AUTH: Received control message: AUTH_FAILED Nov 27 09:11:15 carbon nm-openvpn[4971]: SIGUSR1[soft,auth-failure] received, process restarting ... ... [eventually I caught on to what was happening and stopped it] ... ... Nov 27 09:12:00 carbon NetworkManager[1173]: nm-openvpn-Message: openvpn[4971]: send SIGTERM Nov 27 09:12:00 carbon nm-openvpn[4971]: event_wait : Interrupted system call (code=4) Nov 27 09:12:00 carbon nm-openvpn[4971]: SIGTERM[hard,] received, process exiting Nov 27 09:12:00 carbon NetworkManager[1173]: nm-openvpn-Message: openvpn[4971] exited with success (and yes, I know I should fix the cipher and key file permissions) ** Affects: network-manager-openvpn (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager-openvpn in Ubuntu. https://bugs.launchpad.net/bugs/1734735 Title: [xenial] nm-openvpn continuously retries with bad password after receiving AUTH_FAIL locking out my account Status in network-manager-openvpn package in Ubuntu: New Bug description: I have nm-openvpn configured via the network manager gui on Xenial with a saved password. My organization has a password expiration policy of X days. If I forgot to update the saved password for nm- openvpn and try to VPN in, nm-openvpn tries the connection, fails without notice in the UI and retries until I stop it. This ultimately causes my account to get locked out for too many invalid auth attempts. sanitized/censored from syslog: Nov 27 09:11:06 carbon NetworkManager[1173]: nm-openvpn-Message: openvpn[4971] started Nov 27 09:11:06 carbon nm-openvpn[4971]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017 Nov 27 09:11:07 carbon nm-openvpn[4971]: library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08 Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: file '/home/myusername/Downloads/certs/ta.key' is group or others accessible Nov 27 09:11:07 carbon nm-openvpn[4971]: Control Channel Authentication: using '/home/myusername/Downloads/certs/ta.key' as a OpenVPN static key file Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay Nov 27 09:11:07 carbon nm-openvpn[4971]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay Nov 27 09:11:07 carbon nm-openvpn[4971]: UDPv4 link local: [undef] Nov 27 09:11:07 carbon nm-openvpn[4971]: UDPv4 link remote: [AF_INET]10.0.28.166:1195 Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size. Nov 27 09:11:07 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size. Nov 27 09:11:07 carbon nm-openvpn[4971]: [VPNGate.example.com] Peer Connection Initiated with [AF_INET]10.0.28.166:1195 Nov 27 09:11:10 carbon nm-openvpn[4971]: AUTH: Received control message: AUTH_FAILED Nov 27 09:11:10 carbon nm-openvpn[4971]: SIGUSR1[soft,auth-failure] received, process restarting Nov 27 09:11:10 carbon NetworkManager[1173]: (nm-openvpn-service:4894): nm-openvpn-WARNING **: Password verification failed Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Nov 27 09:11:12 carbon nm-openvpn[4971]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Nov 27 09:11:12 carbon nm-openvpn[4971]: UDPv4 link local: [undef] Nov 27 09:11:12 carbon nm-openvpn[4971]: UDPv4 link remote: [AF_INET]10.0.28.166:1195 Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size. Nov 27 09:11:12 carbon nm-openvpn[4971]: WARNING: this cipher's block size is less than 128 bit (64 bit). Consider using a --cipher with a larger block size. Nov 27 09:11:12 carbon nm-openvpn[4971]: [VPNGate.example.com] Peer Connection Initiated with [AF_INET]10.0.28.166:1195 Nov 27 09:11:15 carbon nm-openvpn[4971]: AUTH: Received control message: AUTH_FAILED Nov 27 09:11:15 carbon nm-openvpn[4971]: SIGUSR1[soft,auth-failure] received, process restarting ... ... [eventually I caught on to what was happening and stopped it] ... ... Nov 27 09:12:00 carbon NetworkManager[1173]: nm-openvpn-Message: openvpn[4971]: send SIGTERM Nov 27 09:12:00 carbon nm-openvpn[4971]: event_wait : Interrupted system call (code=4) Nov 27 09:12:00 carbon nm-openvpn[4971]: SIGTERM[hard,] received, process exiting Nov 27 09:12:00 carbon NetworkManager[1173]: nm-openvpn-Message: openvpn[4971] exited with success (and yes, I know I should fix the cipher and key file permissions) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/1734735/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
