Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Openvpn, network manager and resolv.conf

50 views
Skip to first unread message

Erwan David

unread,
Jun 17, 2013, 12:00:03 PM6/17/13
to
I have an openvpn setting which sets the DNS on the client through the VPN.

I am in holidays going from hotel to hotel and I see that resolv.conf
stays the same, i.e. the one networkmanager writes from the hotel DHCP.

Network manager does *not* manage the openvpn connexion due to a broken
conception which leads to a security threat (it does not use the whole
client configuration the letting IPv6 communication in clear).

What is the best way to get 1) an easy way to set up wifi (in each
hotel...) and 2) a really secure VPN setting with DNS also managed by
the VPN ?


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/51BF323B...@rail.eu.org

Sean Alexandre

unread,
Jun 17, 2013, 12:30:02 PM6/17/13
to
On Mon, Jun 17, 2013 at 08:58:51AM -0700, Erwan David wrote:
> I am in holidays going from hotel to hotel and I see that
> resolv.conf stays the same, i.e. the one networkmanager writes from
> the hotel DHCP.

It sounds like you may not have the resolvconf package installed.


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/20130617162546.GA5716@tuzo

Chris Capon

unread,
Jun 17, 2013, 12:50:02 PM6/17/13
to
Hi all.

Since upgrading to Debian Stable (Wheezy), the Gnome desktop has a popup
which occurs at least once a day asking for authentication. The exact
message is:

Authentication is required to update packages

It always pops up twice in a row whether I type in a password or just
cancel the dialog. I've uninstalled the gnome update manager but this
still shows up.

Does anyone know what might be causing this or how to get rid of it?

Thanks.


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/51BF3D44...@gmail.com

green

unread,
Jun 17, 2013, 1:30:03 PM6/17/13
to
Chris Capon wrote at 2013-06-17 11:45 -0500:
> Since upgrading to Debian Stable (Wheezy), the Gnome desktop has a
> popup which occurs at least once a day asking for authentication.
> The exact message is:
>
> Authentication is required to update packages
>
> It always pops up twice in a row whether I type in a password or
> just cancel the dialog. I've uninstalled the gnome update manager
> but this still shows up.
>
> Does anyone know what might be causing this or how to get rid of it?

Check for any PackageKit packages that are installed. But I have had
some trouble like this too (I think the message is the same, it is on
a system that I do not use personally) and do not see any PackageKit
packages installed. Let me know what you find.


It would be better to start a new thread with a new message to the
list rather than replying to another. I chose to not follow the
"Openvpn, network manager and resolv.conf" thread and your message
consequently did not appear in my inbox. This is called
thread-killing or -muting and is possible with many email clients due
to the Message-Id and References headers. More information here:
<http://content.reviveyourinbox.com/16-how-to-mute-a-thread-conversation-outlook-gmail-thunderbird.html>
signature.asc

Chris Capon

unread,
Jun 17, 2013, 2:50:02 PM6/17/13
to
Thanks for letting me know about the message headers. I wasn't aware
they were there.

PackageKit is installed on my system. When I try to remove
gnome-packagekit-data, though, the dependencies also want to remove
gnome, gnome-core and gnome-desktop-environment. Maybe there is a way
to disable it instead?
--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/51BF5853...@gmail.com

Bob Proulx

unread,
Jun 17, 2013, 6:00:01 PM6/17/13
to
Chris Capon wrote:
> >>Since upgrading to Debian Stable (Wheezy), the Gnome desktop has a
> >>popup which occurs at least once a day asking for authentication.
> >>The exact message is:
> >>
> >> Authentication is required to update packages

This sounds like Bug#708548. This thread on debian-devel is
concerning this problem.

http://lists.debian.org/debian-devel/2013/06/msg00341.html

No resolution yet. But it is a big problem because it is training
people to fall prey to phishing attacks.

Bob


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/20130617215...@hysteria.proulx.com

Erwan David

unread,
Jun 17, 2013, 8:50:01 PM6/17/13
to
Le 17/06/2013 09:25, Sean Alexandre a écrit :
> On Mon, Jun 17, 2013 at 08:58:51AM -0700, Erwan David wrote:
>> I am in holidays going from hotel to hotel and I see that
>> resolv.conf stays the same, i.e. the one networkmanager writes from
>> the hotel DHCP.
> It sounds like you may not have the resolvconf package installed.
>
>

I have...

And I see in my resolv.conf

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8
search key.chillispot.info

And in /var/log/daemon.log

Jun 17 17:35:27 bibi ovpn-dedibox[4076]: PUSH: Received control message:
'PUSH_REPLY,ifconfig-ipv6 2a01:e0b:2070:1::1001/64
2a01:e0b:2070:1::1,tun-ipv6,route-ipv6 2000::/3
2a01:0e0b:2070:1::1,redirect-gateway def1 bypass-dhcp,dhcp-option DNS
10.8.0.1,dhcp-option DOMAIN rail.eu.org,tun-ipv6,route 10.8.0.1,topology
net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9'

which shows that the openvpn server pushed the DNS


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/51BFACEB...@rail.eu.org

Sean Alexandre

unread,
Jun 17, 2013, 10:50:02 PM6/17/13
to
On Mon, Jun 17, 2013 at 05:42:19PM -0700, Erwan David wrote:
> Le 17/06/2013 09:25, Sean Alexandre a écrit :
> >It sounds like you may not have the resolvconf package installed.
>
> I have...
>
> And I see in my resolv.conf
>
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 8.8.8.8
> search key.chillispot.info
>
> And in /var/log/daemon.log
>
> Jun 17 17:35:27 bibi ovpn-dedibox[4076]: PUSH: Received control
> message: 'PUSH_REPLY,ifconfig-ipv6 2a01:e0b:2070:1::1001/64
> 2a01:e0b:2070:1::1,tun-ipv6,route-ipv6 2000::/3
> 2a01:0e0b:2070:1::1,redirect-gateway def1 bypass-dhcp,dhcp-option
> DNS 10.8.0.1,dhcp-option DOMAIN rail.eu.org,tun-ipv6,route
> 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10
> 10.8.0.9'
>
> which shows that the openvpn server pushed the DNS

Your openvpn config file may be missing these two lines:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

You should be seeing a log file entry like this, that shows resolv.conf has been updated:

Sun June 16 08:18:10 2013 us=8295 /etc/openvpn/update-resolv-conf tun0 1500 1562 10.0.122.114 10.0.122.113 init


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/20130618024004.GA10498@tuzo

Erwan David

unread,
Jun 17, 2013, 11:40:01 PM6/17/13
to
Le 17/06/2013 19:40, Sean Alexandre a écrit :
> On Mon, Jun 17, 2013 at 05:42:19PM -0700, Erwan David wrote:
>> Le 17/06/2013 09:25, Sean Alexandre a écrit :
>>> It sounds like you may not have the resolvconf package installed.
>> I have...
>>
>> And I see in my resolv.conf
>>
>> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
>> # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
>> nameserver 8.8.8.8
>> search key.chillispot.info
>>
>> And in /var/log/daemon.log
>>
>> Jun 17 17:35:27 bibi ovpn-dedibox[4076]: PUSH: Received control
>> message: 'PUSH_REPLY,ifconfig-ipv6 2a01:e0b:2070:1::1001/64
>> 2a01:e0b:2070:1::1,tun-ipv6,route-ipv6 2000::/3
>> 2a01:0e0b:2070:1::1,redirect-gateway def1 bypass-dhcp,dhcp-option
>> DNS 10.8.0.1,dhcp-option DOMAIN rail.eu.org,tun-ipv6,route
>> 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10
>> 10.8.0.9'
>>
>> which shows that the openvpn server pushed the DNS
> Your openvpn config file may be missing these two lines:
>
> up /etc/openvpn/update-resolv-conf
> down /etc/openvpn/update-resolv-conf
>
> You should be seeing a log file entry like this, that shows resolv.conf has been updated:
>
> Sun June 16 08:18:10 2013 us=8295 /etc/openvpn/update-resolv-conf tun0 1500 1562 10.0.122.114 10.0.122.113 init
>
>
That would mazke the config file on client not only linux but even
debian specific. And good security dictates that such decision should be
forced by server.
I remember it once worked this way...


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/51BFD49D...@rail.eu.org

Sean Alexandre

unread,
Jun 17, 2013, 11:50:02 PM6/17/13
to
On Mon, Jun 17, 2013 at 08:31:41PM -0700, Erwan David wrote:
> Le 17/06/2013 19:40, Sean Alexandre a écrit :
> >Your openvpn config file may be missing these two lines:
> >
> >up /etc/openvpn/update-resolv-conf
> >down /etc/openvpn/update-resolv-conf
> >
> >You should be seeing a log file entry like this, that shows resolv.conf has been updated:
> >
> >Sun June 16 08:18:10 2013 us=8295 /etc/openvpn/update-resolv-conf tun0 1500 1562 10.0.122.114 10.0.122.113 init
> >
> >
> That would mazke the config file on client not only linux but even
> debian specific. And good security dictates that such decision
> should be forced by server.
> I remember it once worked this way...

I see your point. I don't know if there's a way to do that -- to configure the OpenVPN
server to update resolv.conf for all clients without the clients needing to configure
anything.


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/20130618034814.GA11868@tuzo

Chris Capon

unread,
Jun 21, 2013, 11:10:03 AM6/21/13
to
On 2013-06-17 17:51, Bob Proulx wrote:
> Chris Capon wrote:
>>>> Since upgrading to Debian Stable (Wheezy), the Gnome desktop has a
>>>> popup which occurs at least once a day asking for authentication.
>>>> The exact message is:
>>>>
>>>> Authentication is required to update packages
> This sounds like Bug#708548. This thread on debian-devel is
> concerning this problem.
>
> http://lists.debian.org/debian-devel/2013/06/msg00341.html
>
> No resolution yet. But it is a big problem because it is training
> people to fall prey to phishing attacks.
>
> Bob
>
>
I agree with the bug report. When a user initiates an action (like
launching Synaptic) having a security prompt request credentials is fine
because its intuitive. For system generated actions which just show up
at arbitrary times, there should be a clear way of letting the user know
which software package is making the request. Otherwise, the security is
pointless because the user is simply going to have to guess one way or
the other in the end.

For those with the same problem, I found a solution:

- From the Gnome desktop, go to Activities, Applications, System Tools.
- Launch the icon called "Software Settings".
- Select the "Update Settings" tab.
- Set the "Check for updates" setting to "Never".
- Set the "Automatically install" setting to "Nothing".

Each of the two settings seem to work independently from the other, so
they were both responsible for one security prompt each. Be aware, this
will disable some sort of software update checking by Gnome. The Gnome
update process may possibly be using the PackageKit and PolicyKit
infrastructure, and is also different from "update-manager" (which
doesn't do these security prompts). Very confusing. Personally, I use
a shell script which calls apt-get to keep things simple.

Anyway, thanks to all who helped point me in the right direction.
Cheers.


--
To UNSUBSCRIBE, email to debian-us...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Archive: http://lists.debian.org/51C46C5C...@gmail.com

Michael Biebl

unread,
Jun 21, 2013, 5:10:01 PM6/21/13
to
Am 17.06.2013 18:45, schrieb Chris Capon:
> Hi all.
>
> Since upgrading to Debian Stable (Wheezy), the Gnome desktop has a popup
> which occurs at least once a day asking for authentication. The exact
> message is:
>
> Authentication is required to update packages
>
> It always pops up twice in a row whether I type in a password or just
> cancel the dialog. I've uninstalled the gnome update manager but this
> still shows up.
>
> Does anyone know what might be causing this or how to get rid of it?
>
> Thanks.
>
>

See
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708548
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

signature.asc
0 new messages