Group/IPSec password forgotten if XAUTH password is mistyped
Consider the following user configuration:
- the IPSec/Group password is entered into the connection settings dialog, and the option Store the password only for this user is selected
- the XAUTH password is left blank in the connection settings dialog, and the option Ask for this password every time is selected
In normal usage, nm-vpnc correctly prompts for me to enter only the XAUTH password. When correctly entered, the tunnel establishes.
However, if the XAUTH password is typed incorrectly (has changed, is forgotten, mistyped, etc), nm-vpn correctly prompts for the XAUTH password to be retried. At this point:
- if the user cancels the connection attempt, nm-vpnc clears/forgets the IPSec/Group password from wherever it is stored
- if the user enters the correct password, the tunnel establishes, but nm-vpnc still clears/forgets the Group password
The next time the user tries to establish the tunnel, both the XAUTH password and the Group password are required to be re-entered, this time in a dialog with both password fields.
The desired behaviour (at least from my perspective) is that:
- if either Group or XAUTH passwords are configured to be stored, nm-vpnc MUST NOT clear/forget them, even if a connection fails using the stored passwords.
- if the user later selects a different storage option in the settings dialog, nm-vpnc MUST clear/forget or remember, in accordance with the chosen option
- if a stored XAUTH password is later required to be retried and the connection is ultimately successful, nm-vpnc COULD overwrite the stored password with the retried password (if the user has permissions to overwrite the storage)
A particular nuance which makes this a larger problem also occurs if the VPN server itself uses a RADIUS server that sends an Accept-Challenge to demand a second-factor during the authentication flow. vpnc will receive and echo any RADIUS Reply-Message to the terminal (at least when Debug = 1), then will prompt for the second-factor password using the same prompt string as if a failed XAUTH password was received (i.e. "Password for VPN user@gateway-ipaddr:").
In this nuanced case, nm-vpnc correctly prompts for the first XAUTH password, then prompts for the second XAUTH password as if it were responding to a failed password. If both the first password and second password (more likely a time-based code) are correct, the tunnel does establish, but nm-vpnc still clears/forgets the stored Group password for next time.
If a password must be cleared/forgotten on error, e.g. because of some upstream soft policy or design decision, it should only be cleared if that specific password has been rejected by the VPN server. In the case of the IPSec/Group password, vpnc echoes "ISAKMP_N_AUTHENTICATION_FAILED" and/or "check group password" when this happens -- I presume this could be captured in the same way that an XAUTH password retry is captured?
In the nuanced case, overwriting a saved XAUTH password may not be ideal but, since I recognise that nm-vpnc cannot strictly differentiate between a bad XAUTH first password and a legitimate second password request by prompt alone, it might be a good idea to provide an additional settings dialog option (e.g. a true/false checkbox) which the user can set to determine whether nm-vpnc should attempt to overwrite a failed XAUTH password with a successfully-retried one.
If an extra option is not viable, perhaps it could just be documented somewhere that storing the XAUTH password is not recommended when multi-factor authentication is used?