Inlined credentials: read missing password from management interface

When commit 39619b7fab added support for inlining username only, fallback for password was from console. This is not ideal when graphical UI is in use as there is no console. Instead, query the management interface when possible. This patch just extends a similar fix when username is read from a file and password is missing. As before, any username read from file or inlined is not peserved as we currently have no way of locking the username in the management interface prompt. Change-Id: Ieeb2f980330d485739dbf3d722f107c1dbf704fc Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne-openvpn@rfc2549.org> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1599 Message-Id: <20260414055900.17132-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg36608.html Signed-off-by: Gert Doering <gert@greenie.muc.de> (cherry picked from commit 287acce1ac)
2026-05-28 04:03:29 -04:00 · 2026-04-14 07:58:54 +02:00 · 2026-04-14 07:58:54 +02:00 · b450414d10
commit b450414d10
parent 20b4ecd934
1 changed files with 17 additions and 19 deletions
--- a/src/openvpn/misc.c
+++ b/src/openvpn/misc.c
@ -305,24 +305,6 @@ get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix
                {
                    strncpy(up->password, password_buf, USER_PASS_LEN);
                }
-                /* The auth-file does not have the password: get both username
-                 * and password from the management interface if possible.
-                 * Otherwise set to read password from console.
-                 */
-#if defined(ENABLE_MANAGEMENT)
-                else if (management && (flags & GET_USER_PASS_MANAGEMENT)
-                         && management_query_user_pass_enabled(management))
-                {
-                    msg(D_LOW,
-                        "No password found in %s authfile '%s'. Querying the management interface",
-                        prefix, auth_file);
-                    if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge))
-                    {
-                        fclose(fp);
-                        return false;
-                    }
-                }
-#endif
                else
                {
                    password_from_stdin = 1;
@ -348,7 +330,23 @@ get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix
        if (username_from_stdin || password_from_stdin || response_from_stdin)
        {
 #ifdef ENABLE_MANAGEMENT
-            if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin)
+            /* If management-query-passwords is true, we could be here because
+             * of no password present in auth-file or inline. In that case
+             * query via the management interface instead of stdin/console.
+             */
+            if (management && (flags & GET_USER_PASS_MANAGEMENT)
+                && management_query_user_pass_enabled(management)
+                && !(flags & GET_USER_PASS_USERNAME_ONLY))
+            {
+                msg(D_LOW,
+                    "No '%s' password found in authfile or inline. Querying the management interface",
+                    prefix);
+                if (!auth_user_pass_mgmt(up, prefix, flags, auth_challenge))
+                {
+                    return false;
+                }
+            }
+            else if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin)
            {
                struct auth_challenge_info *ac = parse_auth_challenge(auth_challenge, &gc);
                if (ac)