2FA-issue after upgrade to Tunnelblick 3.8.6beta02 (build 5690)

[Markus M]

Hello,

the following problem came up after the upgrade:

We are using openvpn with two-factor-authorisation via static-challenge, where you can enter a PIN together with a TOTP in the popup window.

In case, username and password are saved in the keychain, up to version  Tunnelblick_3.8.5beta06_build_5660 there still was the popup window asking for the PIN+TOTP.

in Version 3.8.6beta02 (build 5690) there is no longer any popup windows asking for the PIN+TOTP

The floating window says "waiting for password" (translated) in yellow.

last log lines:

2021-04-22 11:56:56.736757 *Tunnelblick: Established communication with OpenVPN

2021-04-22 11:56:56.739445 *Tunnelblick: >INFO:OpenVPN Management Interface Version 1 -- type 'help' for more info

2021-04-22 11:56:56.741686 MANAGEMENT: CMD 'hold release'

educated guess:

This might be related with "Optionally allows the code from an authentication device to be entered in the VPN login window with the username and password."

thank you for your help,

Markus

[Tunnelblick developer]

Thanks for your report. Please see https://groups.google.com/g/tunnelblick-discuss/c/nB957_j9LJo.

[Markus M]

Just for the record:

I am using macOS 10.15.7 (Catalina)

Markus

[Tunnelblick developer]

Thanks.

[macmanjimmy]

fixed the issue.... installed Viscosity instead ! LMAO 

Problem solved.... and no Huge Splash screen

[macmanjimmy]

proud of ya.... Using 10.12.6

[Tunnelblick developer]

This problem should be fixed in Tunnelblick 3.8.6beta03, available via update on the "Preferences" panel. (Put a check in "Check fro updates to beta versions", then click the "Check Now" button.)

[Markus M]

Hi,

thank you for the quick fix, it works now with both scenarios here:

a) username + password from keychain: OK ( Login windows only shows up the first time when credentials are entered and then saved into keychain)

b) username + password from keychain + OTP via static-challenge option OK (Only the static-challenge window shows up)

The Security Code Field in the initial Login Windows refers only to dynamic challenges via auth-retry from the server. Is that right.

Markus

[Tunnelblick developer]

Marcus M wrote:

"The Security Code Field in the initial Login Windows refers only to dynamic challenges via auth-retry from the server. Is that right."

Not quite. It has nothing to do with OpenVPN's static or dynamic challenges. It is for old setups where a constantly-changing code must be appended to the user's password. (For example, a code from a dongle which generates time-based one-time passwords.)

If the "Security code" checkbox is checked:

• The login window will always appear; and
• The "security code" will be appended to the password before it is sent by Tunnelblick to OpenVPN.

This allows the user to save the username and password in the Keychain and still use this type of authentication. The login window will appear with the username and password already filled in. The user types in the security code from their dongle and clicks "OK". The "security code" is appended to the end of the password, and the result is sent to OpenVPN to pass on to the OpenVPN server for authentication.

[Tunnelblick developer]

macmanjimmy wrote:

"Problem solved.... and no Huge Splash screen"

If you're referring to Tunnelblick's splash screen, Tunnelblick's "Appearance" panel has a checkbox to control whether it is displayed or not. It's displayed by default, but a single click will change that. (Two clicks, if you include choosing the "Appearance" panel; four clicks if you need to first make the "VPN Details" window visible.)

[Markus M]

Thank you for the explanation. This will come in handy.

Markus