Public bug reported: Regression caused by SRU for: https://bugs.launchpad.net/ubuntu/+source/network-manager- openvpn/+bug/2076101
Regression report (https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/2076101/comments/20): Hi all! noble-updates user here, and this has inadvertently broken my MFA login where the server responds with a challenge response with 'echo' flag set. The patch now calls `keyfile_add_entry_info` with `is_secret` set to `!need_challengeresponse_echo` which in turn returns `IsSecret=false` to the Network Manager UI (which in my case is nmcli, but it would be the same with the GUI). However, thanks to https://github.com/NetworkManager/NetworkManager/blob/main/src/libnmc- base/nm-secret-agent-simple.c#L628 this means that this is completely ignored as if `ShouldAsk` was set to false. The client re-attempts login and gets stuck in a loop until NM times out starting the connection. I appreciate you'll probably want me to file a new bug report, but I can see one of options for this: 1. A bug to replace `!need_challengeresponse_echo` with TRUE in this patch. 2. A bug that we need some or all of the upstream https://github.com/NetworkManager/NetworkManager-openvpn/commit/b45ecc167247b8357c7c40c74cc5d1c85d8f4886 patch applied which ensures this is always asked for. 3. Something else? Separately, it's a pity this didn't also include https://github.com/NetworkManager/NetworkManager- openvpn/commit/cd279d4975a40103fb3c1e8f9df8b49711c08e6d to fix the typos in that initial commit. This will affect users who later upgrade since they'll have the incorrect entry 'challenage-response' stored against the netplan config for this connection, and this will give the error `connect: failed to connect interactively: 'GDBus.Error:org.freedesktop.NetworkManager.VPN.Error.BadArguments: property “challenage-response” is invalid or not supported'` More details in https://bugs.launchpad.net/ubuntu/+source/network- manager-openvpn/+bug/2076101/comments/22 ** Affects: network-manager-openvpn (Ubuntu) Importance: Critical Status: Triaged ** Affects: network-manager-openvpn (Ubuntu Jammy) Importance: Critical Status: Triaged ** Affects: network-manager-openvpn (Ubuntu Noble) Importance: Critical Status: Triaged ** Tags: regression-update ** Description changed: Regression caused by SRU for: https://bugs.launchpad.net/ubuntu/+source/network-manager- openvpn/+bug/2076101 + + Regression report (https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/2076101/comments/20): + Hi all! noble-updates user here, and this has inadvertently broken my MFA login where the server responds with a challenge response with 'echo' flag set. + + The patch now calls `keyfile_add_entry_info` with `is_secret` set to + `!need_challengeresponse_echo` which in turn returns `IsSecret=false` to + the Network Manager UI (which in my case is nmcli, but it would be the + same with the GUI). + + However, thanks to + https://github.com/NetworkManager/NetworkManager/blob/main/src/libnmc- + base/nm-secret-agent-simple.c#L628 this means that this is completely + ignored as if `ShouldAsk` was set to false. The client re-attempts login + and gets stuck in a loop until NM times out starting the connection. + + I appreciate you'll probably want me to file a new bug report, but I can see one of options for this: + 1. A bug to replace `!need_challengeresponse_echo` with TRUE in this patch. + 2. A bug that we need some or all of the upstream https://github.com/NetworkManager/NetworkManager-openvpn/commit/b45ecc167247b8357c7c40c74cc5d1c85d8f4886 patch applied which ensures this is always asked for. + 3. Something else? + + Separately, it's a pity this didn't also include + https://github.com/NetworkManager/NetworkManager- + openvpn/commit/cd279d4975a40103fb3c1e8f9df8b49711c08e6d to fix the typos + in that initial commit. This will affect users who later upgrade since + they'll have the incorrect entry 'challenage-response' stored against + the netplan config for this connection, and this will give the error + `connect: failed to connect interactively: + 'GDBus.Error:org.freedesktop.NetworkManager.VPN.Error.BadArguments: + property “challenage-response” is invalid or not supported'` + + More details in https://bugs.launchpad.net/ubuntu/+source/network- + manager-openvpn/+bug/2076101/comments/22 ** Changed in: network-manager-openvpn (Ubuntu) Status: New => Triaged ** Changed in: network-manager-openvpn (Ubuntu) Importance: Undecided => Critical ** Also affects: network-manager-openvpn (Ubuntu Noble) Importance: Undecided Status: New ** Also affects: network-manager-openvpn (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: network-manager-openvpn (Ubuntu Jammy) Status: New => Triaged ** Changed in: network-manager-openvpn (Ubuntu Noble) Status: New => Triaged ** Changed in: network-manager-openvpn (Ubuntu Jammy) Importance: Undecided => Critical ** Changed in: network-manager-openvpn (Ubuntu Noble) Importance: Undecided => Critical -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2143861 Title: 1.10.2-4ubuntu0.1 regresses MFA in some cases To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/2143861/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
