The default branch for this project has been changed. Please update your bookmarks.
-
Íñigo Huguet authored
When using the auth dialog, nmcli and other agents reject using as secrets values without "IsSecret=true" option. Because of this, the value entered by the user as challenge-response was ignored with the "echo" mode enabled: because we were setting "IsSecret=false" to make the input visible. Instead of that, send a new "ForceEcho" option that is recognized by nmcli and other agents since NM 1.46. Additionally, prefix the "challenge-response" hint with "x-vpn-challenge(-echo):" to make nmcli recognizing this request as the 2nd step of a 2FA authentication in all cases, avoiding to request the password twice. This is also supported since NM 1.46. This change is backwards compatible for clients that uses the auth-dialog method to get the list of secrets to require: they pass the hints to nm-openvpn-auth-dialog and it will understand the new "x-vpn-challenge*" tags. These clients won't understand the new ForceEcho but they will just ignore it. This is not backwards compatible with clients that, instead of the auth-method or as fallback, uses the hints directly. This has been tested with nmcli, nmtui, nm-applet and GNOME control center. All of them are compatible or patched to be compatible.
b45ecc16