-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
blank password in default config #507
Comments
This is an intended change (although it is admittedly not a very lucky one) in order to support login with a smartcard or user certificate only. |
we should comment out the line in the template to avoid this problem in the future. The template is copied to the default config location if that file doesn't exist during installation. |
a fix for this is landed on the master branch now. I would leave this ticket open until the next release, just to have it visible for other users who upgrade to the 1.11.0 release and run into the same problem |
I still contend that the debug output could be clearer about where the parameters are taken from. I'll propose a PR if I find the time. |
Additional information in the debug output usually helps understanding problems. In this context however, I don't really see the need anymore. In Version 1.8.0 Issue #258 was solved via #346. Since then, the general rule is that openfortivpn has built-in default values for almost all parameters. In many cases it is sufficient to define the host to connect to and the username. The ssl port 443 is assumed by default and the password is interactively asked, if it is not specified in any way. At configure time the location of the default config file is determined depending on the installation prefix or the sysconfdir. Values in the config file are taken (unless the lines are commented out) and they have priority over the built-in default values. If a config file is supplied on the command line, that config file is used instead of the default config. Other parameters on the command line have priority over the ones in the config file. For the values there are some checks which lead to an error if insane values are supplied, e.g. an empty host name or values that are outside of the acceptable range for the particular parameter. These are the general rules. After they are applied, a configuration is available in memory, which consists of all parameters known to openfortivpn and depending on where they are specified (default value, config file, command line), the one with the higher priority is applied. Now we have a fixed configuration, but to understand the behavior, it is important to know, that for some parameters there are special rules for special values. If the username and the password are empty, we must have a user certificate or a smartcard (#464) to authenticate the user. If the password is not specified anywhere, the user is asked for one interactively. If there is a line for the password, but no value assigned, it is assumed that the password is empty and it shall not be sent together with the certificate (#375). If there is a user certificate, a username but no line for the password, it is still assumed that a password is required in addition to the certificate (that's how I run my Fortigate). There are other parameters which may have special values with a special meaning, like persistent=0 or user-cert=pkcs11: but that's pretty much it and they are documented in the man page. Anyhow, we could add some debugging output in the merge_config() function that might help to spot issues when a value is changed in an unexpected way, or maybe add a function to dump the full config that is used after the call of merge_config() in main() |
I agree with most of what you wrote but I think the verbose log could mention whether a parameter has been picked up from the config or from the CLI - I admit this is maybe not very important but we're talking about a verbose log - but more importantly that a password has been picked up at all - be it from the config or from the CLI - as it actually happens for the other parameters.
|
fix for the debug output is merged on master |
Terrific work. Thank you! |
Not sure I understand the PR in main.c at line 490-492. It logs "Disabled password due to empty entry in config file" but it does not actually get disabled, at least the program still fails to ask a password interactively if there is a blank password in the config file. |
if an empty password is in the config file, openfortivpn does not ask for a password later in main() (the password is not NULL anymore, it's the empty string) and it does not use it when attempting to make a connection in auth_log_in |
Fixed in openfortivpn 1.12.0. |
Hi,
I have 1.6.0 in my Ubuntu system, coming from the package manager.
It features a default config file
/etc/openfortivpn/config
, with null values.I just compiled 1.11.0 from git and tried running it before installing.
I found out that the blank password in the default configuration file will cause openfortivpn not to ask for a password at the CLI and my connections to fail just as if I provided a wrong password.
I don't know if this is by design. With the same default config, 1.6.0 prompts for the password.
Having a default config with blank values is probably not the best of ideas - I see in the repo there is a file named /etc/openfortivpn/config.template, probably that's what gets installed in the current release - but I think that the current behaviour is at least somehow misleading. At the very least, the verbose debug output should hint at the fact that a password is being picked up from the config file. I don't think it does now.
Better still, the log could show more clearly what is being taken from the config file and what is being picked up/overridden from the CLI parameters.
The text was updated successfully, but these errors were encountered: