diff options
author | Gert Doering <gert@greenie.muc.de> | 2015-07-13 21:10:07 +0200 |
---|---|---|
committer | Gert Doering <gert@greenie.muc.de> | 2015-07-13 21:34:29 +0200 |
commit | b131c7b974d9d4d3f0a6ab3a81719af6f7ab2ad6 (patch) | |
tree | 25060357b596fbec29c1faa8ec3078ce801bb964 | |
parent | 7bde2e1b19e66af22c26c90e1187a4365c9087fc (diff) | |
download | openvpn-b131c7b974d9d4d3f0a6ab3a81719af6f7ab2ad6.tar.gz openvpn-b131c7b974d9d4d3f0a6ab3a81719af6f7ab2ad6.tar.xz openvpn-b131c7b974d9d4d3f0a6ab3a81719af6f7ab2ad6.zip |
Produce a meaningful error message if --daemon gets in the way of asking for passwords.
With the --daemon / SSL init reordering in da9b292733, we fail if we
daemonize first and then try to ask for a private key passphrase (or,
for that matter, username+password if --auth-nocache is set) - but
no meaningful error message was printed, instead depending on operating
system and library versions, either we looped around "ssl init failed"
or died with an unspecified "fatal error".
So: check if get_user_pass_cr() is called in a context that needs
"from_stdin", but both stdin and stderr are not connected to a tty
device (which getpass() needs). In that case, print a meaningful
error message pointing to --askpass, and die.
Trac #574 and #576
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1436814607-16707-1-git-send-email-gert@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9916
(cherry picked from commit 079e5b9c13bf81d7afc6f932b5417d2f08f8e64b)
-rw-r--r-- | src/openvpn/misc.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 8e78117..21e54b4 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -1088,6 +1088,10 @@ get_user_pass_cr (struct user_pass *up, */ else if (from_stdin) { + /* did we --daemon'ize before asking for passwords? */ + if ( !isatty(0) && !isatty(2) ) + { msg(M_FATAL, "neither stdin nor stderr are a tty device, can't ask for %s password. If you used --daemon, you need to use --askpass to make passphrase-protected keys work, and you can not use --auth-nocache.", prefix ); } + #ifdef ENABLE_CLIENT_CR if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE)) { |