Unable to connect to Pritunl after resetting the password

Hi Team,
We have enabled Device Authentication. However, an issue arises when an administrator resets a user’s device password. Due to our password policy, which requires a password change every 90 days, failure by the user to update their password results in the MDM tools (https://endpointcentral.manageengine.com/) automatically resetting it. Subsequently, users are unable to connect to Pritunl, encountering the error “Failed to connect to profile.”

This is a service log for the Pritunl Client:

ORIGINAL STACK TRACE:

github.com/pritunl/pritunl-client-electron/service/tpm.(*Remote).Sign

/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/tpm/remote.go:114 +0x102df4c2c

github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).reqOvpn

/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:2256 +0x102e03833

github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).openOvpn

/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1969 +0x102e0230b

github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).startOvpn

/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1375 +0x102dff02b

github.com/pritunl/pritunl-client-electron/service/profile.(*Profile).Start

/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/profile/profile.go:1358 +0x102dfee5b

github.com/pritunl/pritunl-client-electron/service/handlers.profilePost.func1

/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/handlers/profile.go:108 +0x102e1edc3

runtime.goexit

/opt/homebrew/Cellar/go/1.21.3/libexec/src/runtime/asm_arm64.s:1197 +0x1028f0593

[2024-01-16 09:29:35][WARN] ▶ profile: Request ovpn connection error

tpm: Client TPM error Tpm: Secure enclave exec code error caller_id=kK46uDIxItYvezrs exit_code=null output=Swift/ErrorType.swift:200: Fatal error: Error raised at top level: Error Domain=CryptoTokenKit Code=-3 "<sepk:p256 kid=f314516529490837>: unable to sign digest" UserInfo={NSDebugDescription=<sepk:p256 kid=f314516529490837>: unable to sign digest, AKSError=-536363001}

The issue seems to be related to the keychain. It would not have occurred if the user had changed their password themselves instead of having it reset.
The affected devices are Macbook Pro/Air M2 with the following OS versions: 13.2, 13.4, 13.6.1, and 14.2.1.

The Secure Enclave uses a data representation key to derive the private key from the Secure Enclave chip. It’s possible the Secure Enclave is getting reset and is rejecting the previous key. The key is stored in /var/lib/pritunl-client/pritunl-client.json on older clients and /Library/Application\ Support/Pritunlpritunl-client.json on newer clients. This file can be deleted and the device would need to be registered again.

hi zach,

I am afraid that this pritunl 's mechanism for Secure Enclave is getting issue everytime macOS user reseting their 's password.
Everytime a macOS user reseting their 's password, we have to use this workaround in order to get the pritunl agent trusted by server again.
This is a problem for us.
Hoping there will be a fix/update that overcome this “broken trust” issue.

I am working on adding a button to the menu to reset the Secure Enclave representation key but clearing the Secure Enclave is going to cause problems. Once this is added the device will still need to be registered again from the Pritunl console. As more software utilizes the Secure Enclave clearing it frequently will create problems, it shouldn’t be reset.

The password reset is inevitable since its on user side.
The “button” seems to be an improvement, looking for it.

It’s more of an issue with the software that is resetting the Secure Enclave. There’s no reason to reset the Secure Enclave in those circumstances and it will cause more problems in the future as usage of the Secure Enclave increases.

Hi @zach do you have any update on when the “button” is available?

Currently the best way is to remove the configuration file storing the key sudo rm -rf /Library/Application\ Support/Pritunl/pritunl-client.json