GNOME Bugzilla – Bug 765553
nmcli --ask doesn't work (doesn't ask for passphrase)
Last modified: 2016-05-05 12:54:56 UTC
Lubomir's blog post at <https://blogs.gnome.org/lkundrak/2016/04/20/networkmanager-1-2-is-here/> makes the following claim: «It is now also possible to connect to a VPN from the command line using nmcli. If the VPN needs a password, nmcli will ask when the user use the –ask option». However, this does not actually seem to work: $ nmcli --ask con up MyVPN Error: Connection activation failed: no valid VPN secrets. When this is done, the following log messages appear: <info> [1461603376.6497] audit: op="connection-activate" uuid="68db6fae-7eca-4afe-b414-2ef65a02c123" name="MyVPN" pid=17055 uid=1000 result="success" <info> [1461603376.6538] vpn-connection[0x7f032eb955c0,68db6fae-7eca-4afe-b414-2ef65a02c123,"MyVPN",0]: Started the VPN service, PID 17062 <info> [1461603376.6651] vpn-connection[0x7f032eb955c0,68db6fae-7eca-4afe-b414-2ef65a02c123,"MyVPN",0]: Saw the service appear; activating connection <error> [1461603376.6828] vpn-connection[0x7f032eb955c0,68db6fae-7eca-4afe-b414-2ef65a02c123,"MyVPN",0]: Failed to request VPN secrets #3: No agents were available for this request. /etc/NetworkManager/system-connections/MyVPN contains: [connection] id=MyVPN uuid=68db6fae-7eca-4afe-b414-2ef65a02c123 type=vpn autoconnect=false permissions= secondaries= timestamp=1441998313 [vpn] comp-lzo=yes ca=/home/tore/vpn/myvpn.ca.pem cert=/home/tore/vpn/myvpn.crt remote=myvpn.fud.no connection-type=tls key=/home/tore/vpn/myvpn.key cert-pass-flags=2 service-type=org.freedesktop.NetworkManager.openvpn [ipv4] dns-search= method=auto never-default=true [ipv6] addr-gen-mode=eui64 dns-search= ip6-privacy=0 method=auto never-default=true This happens only if nm-applet is not running. If it is running, then "nmcli con up MyVPN" (even without --ask) will make a GUI passphrase dialog box appear, but that's not terribly helpful on a GUI-less system (or if you're logging in via ssh).
Created attachment 327252 [details] [review] [PATCH] clients: add missing openvpn secret types to secret agent (In reply to Tore Anderson from comment #0) > $ nmcli --ask con up MyVPN > Error: Connection activation failed: no valid VPN secrets. Yeah, the agent manager used by nmcli and nmtui can ask for the user password but not for other secrets like the private key password. The attached patch should fix this.
(In reply to Beniamino Galvani from comment #1) > Created attachment 327252 [details] [review] [review] > [PATCH] clients: add missing openvpn secret types to secret agent Tested and it seems to work fine for me. I can now enter the passphrase directly from nmcli when using --ask. Thank you! However I noticed one thing that struck me as a bit odd: If nm-applet is running, and you run "nmcli --ask con up vpnconn" and then hit ctrl+c when prompted for the passphrase, the GUI passphrase dialogue box will appear. If I enter the passphrase there, the VPN connection will establish. What I'd intuitively expect to happen instead, is that when I hit ctrl+c the connection activation attempt would be completely abandoned.
(In reply to Tore Anderson from comment #2) > Tested and it seems to work fine for me. I can now enter the passphrase > directly from nmcli when using --ask. Thank you! Merged to master with Thomas' ack: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?id=f57c20505110b951d067b9232ad7dcc2e6b50125 nm-1-2: https://cgit.freedesktop.org/NetworkManager/NetworkManager/commit/?h=nm-1-2&id=367727ae881c307defdf977be85294335a0d06fd > However I noticed one thing that struck me as a bit odd: If nm-applet is > running, and you run "nmcli --ask con up vpnconn" and then hit ctrl+c when > prompted for the passphrase, the GUI passphrase dialogue box will appear. If > I enter the passphrase there, the VPN connection will establish. What I'd > intuitively expect to happen instead, is that when I hit ctrl+c the > connection activation attempt would be completely abandoned. Usually nmcli activations are started asynchronously and we only wait for success or failure, but never interrupt them if the user hits ^C. In this case the ^C terminates the password request and the wait, but not the activation. I think this is consistent with the usual behavior of nmcli; please file a separate bug if you think this is wrong.