Dynamic challenge script AUTH_FAILED about tunnelblick HOT 12 CLOSED

@YuriDenison – LF characters are not stripped from the output of the dynamic-challenge-response.user.sh and static-challenge-response.user.sh scripts.

The echo $(pass otp name) in your script outputs a LF character after the TOTP, which Tunnelblick passes on to the OpenVPN server, which rejects it because of the LF character. Try using printf "%s" "$(pass otp name)" instead, which will avoid appending the LF character.

Edited 2024-02-14

from tunnelblick.

Thank you for the answer.
I've tried printf "%s" "$(pass otp name)" and nothing changed.
The same with pass otp name | tr -d '\n'.

from tunnelblick.

@YuriDenison – Maybe the "sleep 1" in your script is exposing a bug in Tunnelblick. I don't know of any reason to have it in the script. Try removing it and see if that helps.

Change the script to use printf "%s" "$(pass otp name)", also. It is necessary as I described earlier.

You originally wrote:

My script successfully generates 6 letter time-based code, it uses echo as flag E always present in challenge.

The "E" flag has nothing to do with the "echo" command. The "E" flag means that if the user is asked to type in the response, each letter of the response should be displayed to the user as the user types it, instead of displaying "*" characters. The flag is ignored when the response is coming from the script.

from tunnelblick.

@jkbullard I've tried trimming LF previously, with and without sleep, with and without parsing the argument in first line.
I've created the issue only when I was out of ideas what causes the problem.

This one-liner should work fine but it doesn't.

printf "%s" "$(pass otp name)"

Unfortunately on the server side there is no verbose logs, only Failed two-step authentication message.

from tunnelblick.

Is it possible to add more logs to the message sent to server?
For example to this line

from tunnelblick.

@YuriDenison - When you wrote that the script is

#!/bin/bash
challenge="$1"
sleep 1
echo $(pass otp name)

1. Why do you set the bash variable "challenge"? It is not used in your script!

2. Why did you include the "sleep" command?

3. I'm not familiar with the "pass" command; it is not part of macOS. Please provide a link to where you downloaded it from.

4. Did you mean that the last line was literally echo $(pass otp name)?

Or are "otp" and/or "name" actually other strings, and you substituted "otp" and "name" for the two strings because you didn't want to post them for privacy reasons?

from tunnelblick.

@jkbullard I've built Tunnelblick from sources, added some logs and found that the problem is somehow related to environment of NSTask launch.

With this script the parsed output is always aaabbb

#!/bin/bash
printf "aaa$(/opt/homebrew/bin/pass otp name)bbb"

I'm using pass with otp extension installed with homebrew. It works fine in default terminal, but doesn't work when launched with runToolExtended.
Digging futher.

from tunnelblick.

@YuriDenison - runToolExtended sets the environment of the NSTask from getSafeEnvironment, which creates a very limited environment for security reasons, and sets PATH in that environment to /usr/bin:/bin:/usr/sbin:/sbin.

If pass or otp_extension need that path include /opt/homebrew/bin/pass, that could be a problem.

from tunnelblick.

@jkbullard I've added /opt/homebrew/bin to STANDARD_PATH for the test sake in my local build and finally my script worked as expected. It would be nice if there will be an option to "trust" user-defined scripts with wider environment setting, turned off by default.

from tunnelblick.

Thanks for reporting the problem and a potential solution.

However, it’s really a problem with pass and/or the otp extension. I’m not inclined to add something that would break security, because it would need to be authorized by an administrator.

from tunnelblick.

Can your script add /opt/homebrew/bin to PATH before it invokes pass? Wouldn't that solve the problem?

from tunnelblick.

Sure, this script works fine with current 4.0.0beta15 version, thank you for help.

#!/bin/bash
export PATH="$PATH:/opt/homebrew/bin"
printf "$(pass otp name)"

from tunnelblick.