Skip to content

libnmc: support 2FA authentication from VPN plugins

Íñigo Huguet requested to merge ih/vpn-2fa into main


Fix some issues that prevented or made annoying to use 2FA authentication from VPN plugins.


When the VPN service sends a challenge as 2nd step of a 2FA authentication, clients like nmcli were requesting again the password. Fix that.

Also, attempts by VPN plugins to implement an ECHO mode so the response to the challenge is not hidden as a password were not successful because they tried to set IsSecret=false from the auth-dialog, but nm-secret-agent-simple ignores values without IsSecret. Fix that by adding a new "ForceEcho" option

This change is backwards compatible in the sense that it doesn't break any existing VPN plugin. Clients that doesn't support the auth-dialog might need to adapt if VPN plugins start using this mechanism. They will work fine if they support the auth-dialog, though.

See implementation of the new features in NetworkManager-openvpn:

Fixes #1434 (closed)
See #1451

Edited by Íñigo Huguet

Merge request reports