Re: vpnc does not indicate failed authentication



Sorry for delay ...

On Thursday 25 of February 2010 02:52:23 Dan Williams wrote:
> On Sat, 2010-02-20 at 20:59 +0300, Andrey Borzenkov wrote:
> > vpnc plugin expects return code 2 from vpnc to indicate failed
> > 
> > authentication.:
> >         case 2:
> >                 /* Couldn't log in due to bad user/pass */
> >                 nm_vpn_plugin_failure (NM_VPN_PLUGIN (plugin),
> > 
> > NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
> > 
> >                 break;
> > 
> > At least in my testing I could not trigger it - whatever I did I
> > always got exit code 1, which is interpreted as generic connection
> > failure.
> > 
> > Just curious, is something wrong with my vpnc version or something
> > has changed since code was originally written? Using vpnc 0.5.3.
> 
> Looks like it still should be the case; error() in vpnc eventually
> calls exit() with the first number.  So:
> 
> 	if (opt_auth_mode == AUTH_MODE_PSK) {
> 		if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 
0)
> 			error(2, 0, "hash comparison failed: %s(%d)\ncheck group
> password!", val_to_string(ISAKMP_N_AUTHENTICATION_FAILED,
> isakmp_notify_enum_array), ISAKMP_N_AUTHENTICATION_FAILED);
> 
> or
> 
> 	if (passwd_used && config[CONFIG_NON_INTERACTIVE]) {
> 		reject = ISAKMP_N_AUTHENTICATION_FAILED;
> 		phase2_fatal(s, "noninteractive can't reuse password", reject);
> 		error(2, 0, "authentication failed (requires interactive 
mode)");
> 

Yes, it fails in this branch. phase2_fatal() exits with error code 1 so 
second line is never reached. As I understand, the first one is for 
phase1 which is using group password (static in my case); the second one 
is for phase2 which is using one time dynamic password.

phase2_fatal seems to be needed to notify peer about connection tear 
down. Unfortunately it also does error(1,...) as well ...

Added vpnc-devel.

Attachment: signature.asc
Description: This is a digitally signed message part.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]