0000411: OpenVPN fails authentication with password containing "$$"

Please see now our new Bugtracker system: JIRA

View Issue Details [ Jump to Notes ]

[ Issue History ] [ Print ]

Project

Category

View Status

Date Submitted

Last Update

0000411

Endian Firewall

Input Validation

public

2008-01-03 22:44

2010-09-21 19:08

Reporter

aarond725

Assigned To

Priority

normal

Severity

minor

Reproducibility

always

Status

acknowledged

Resolution

open

Platform

OS Version

Product Version

2.1.2

Target Version

future

Fixed in Version

Summary

0000411: OpenVPN fails authentication with password containing "$$"

Description

Not sure if this is in the OpenVPN client, the OpenVPN server, or the web interface of Endian Firewall.

I have an Endian Firewall Community release 2.1.2 set up as an OpenVPN server. Using the web interface of the firewall, I create a user "test" with password "test$". I am able to succesfully connect remotely via OpenVPN GUI 1.0.3.

If I change the password to "test$$", I get an AUTH_FAILED message when trying to connect via OpenVPN GUI 1.0.3.

I think the two dollar signs ($$) might be some sort of special character, or perhaps they are getting escaped. There might be other special characters that do not work, but I haven't experimented.

The workaround is not to use "$$" in the password.

Additional Information

Here is the OpenVPN log from my client:

Thu Jan 03 13:52:20 2008 VERIFY OK: depth=1, /C=IT/O=efw/CN=efw_CA
Thu Jan 03 13:52:20 2008 VERIFY OK: depth=0, /C=IT/O=efw/CN=127.0.0.1
Thu Jan 03 13:52:20 2008 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jan 03 13:52:20 2008 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 03 13:52:20 2008 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu Jan 03 13:52:20 2008 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Jan 03 13:52:20 2008 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Jan 03 13:52:20 2008 [127.0.0.1] Peer Connection Initiated with 123.123.123.123:1194
Thu Jan 03 13:52:21 2008 SENT CONTROL [127.0.0.1]: 'PUSH_REQUEST' (status=1)
Thu Jan 03 13:52:21 2008 AUTH: Received AUTH_FAILED control message
Thu Jan 03 13:52:21 2008 TCP/UDP: Closing socket
Thu Jan 03 13:52:21 2008 SIGTERM[soft,auth-failure] received, process exiting
Thu Jan 03 13:52:21 2008 OpenVPN 2.0.5 Win32-MinGW [SSL] [LZO] built on Nov 2 2005

Tags

No tags attached.

Attached Files

Relationships

Notes
(0000736) peter-endian (administrator) 2008-01-08 12:13	yes, $ identifies a variable name in perl, so the GUI writes down the password wrongly. there are more special characters which will not work, like @, % I think there is also another issue with openvpn itself with special characters. In 2.2 we disallow these characters. It's a temporary solution..

Issue History
Date Modified	Username	Field	Change
2008-01-03 22:44	aarond725	New Issue
2008-01-03 22:44	aarond725	Status	new => assigned
2008-01-03 22:44	aarond725	Assigned To	=> peter-endian
2008-01-08 12:13	peter-endian	Note Added: 0000736
2009-11-25 17:47	peter-endian	Target Version	=> future
2010-02-04 09:58	peter-endian	Relationship added	related to 0002653
2010-09-21 18:13	peter-endian	Assigned To	peter-endian =>
2010-09-21 18:13	peter-endian	Status	assigned => acknowledged
2010-09-21 19:08	peter-endian	Category	Network related (VPN, uplinks) => Input Validation