For what it's worth, the set of things that I've had to patch on top of the noble version to make this work nicely for my use case are:
-- network-manager-openvpn (against this latest version 1.10.2-4ubuntu0.2) The following upstream patches from https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/ 1. Upstream patches a6da86f^1...322c273^2 - added in upstream version 1.10.4 a6da86f multiple: improve 2FA challenge support cd279d4 Correcting indentation and several typos 54613d3 all: rename CHALLENGE_RESPONSE -> KEY_CHALLENGE_RESPONSE 02cbeba all: fix secret flags for challenge-response b45ecc1 all: use "x-vpn-challenge(-echo):" hints and "ForceEcho" in dialogs b02d63c service: fix challenge-response not being sent to server These correspond to PR https://gitlab.gnome.org/GNOME/NetworkManager- openvpn/-/merge_requests/66 which merged branch dc/2fa-challenge- response. Just the first commit is what this Ubuntu update was based on rather than the whole branch. 2. Upstream patch 23b5ba3 - added in upstream version 1.12.0 23b5ba3 editor: send back the challenge response with the tag This corresponds to PR https://gitlab.gnome.org/GNOME/NetworkManager- openvpn/-/merge_requests/78 which merged branch ih/secret_with_tag. This improves behaviour for handling secrets, but also requires a patch to network-manager for the noble version. 3. Upstream patches cc524f0^1..c053b77 - added in upstream version 1.12.1 cc524f0 service: fix debug message related to challenge reception c053b77 service: don't try to reuse invalid or expired challenges These correspond to PR https://gitlab.gnome.org/GNOME/NetworkManager- openvpn/-/merge_requests/82 which merged branch fix-otp-challenge and prevents things going into an loop when an invalid MFA code is provided. -- network-manager (against version 1.46.0-1ubuntu2.6) 4. Upstream patches 0583e1f843^1..18240bb72d - added in upstream version 1.49 0583e1f843 vpn: handle hint tags in the daemon 18240bb72d libnmc: don't strip prefix tags from secret names These correspond to PR https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/1958 which merged branch ih/secret_hint_tags and fixes the behaviour with the `x-dynamic-challenge` prefix to not save the MFA code in the network configuration. -- I can't say as to whether there would be any appetite for taking some or all of this back to noble or jammy (I suspect the latter would require more patching to work the same way). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2076101 Title: [SRU] Gnome openvpn saves authenticator code as password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/network-manager-openvpn/+bug/2076101/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
