Sorry for delay ...
On Thursday 25 of February 2010 02:52:23 Dan Williams wrote:
> On Sat, 2010-02-20 at 20:59 +0300, Andrey Borzenkov wrote:
> > vpnc plugin expects return code 2 from vpnc to indicate failed
> >
> > authentication.:
> > case 2:
> > /* Couldn't log in due to bad user/pass */
> > nm_vpn_plugin_failure (NM_VPN_PLUGIN (plugin),
> >
> > NM_VPN_PLUGIN_FAILURE_LOGIN_FAILED);
> >
> > break;
> >
> > At least in my testing I could not trigger it - whatever I did I
> > always got exit code 1, which is interpreted as generic connection
> > failure.
> >
> > Just curious, is something wrong with my vpnc version or something
> > has changed since code was originally written? Using vpnc 0.5.3.
>
> Looks like it still should be the case; error() in vpnc eventually
> calls exit() with the first number. So:
>
> if (opt_auth_mode == AUTH_MODE_PSK) {
> if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) !=
0)
> error(2, 0, "hash comparison failed: %s(%d)\ncheck group
> password!", val_to_string(ISAKMP_N_AUTHENTICATION_FAILED,
> isakmp_notify_enum_array), ISAKMP_N_AUTHENTICATION_FAILED);
>
> or
>
> if (passwd_used && config[CONFIG_NON_INTERACTIVE]) {
> reject = ISAKMP_N_AUTHENTICATION_FAILED;
> phase2_fatal(s, "noninteractive can't reuse password", reject);
> error(2, 0, "authentication failed (requires interactive
mode)");
>
Yes, it fails in this branch. phase2_fatal() exits with error code 1 so
second line is never reached. As I understand, the first one is for
phase1 which is using group password (static in my case); the second one
is for phase2 which is using one time dynamic password.
phase2_fatal seems to be needed to notify peer about connection tear
down. Unfortunately it also does error(1,...) as well ...
Added vpnc-devel.
Attachment:
signature.asc
Description: This is a digitally signed message part.