unable to use RSA SecureID on Unbuntu 14.04 LTS 64 bit

Mark Kolmar mark at burningrome.com
Wed Aug 6 15:26:15 PDT 2014


I updated the packages using the PPA. The VPN GUI (top right) works now. 
I appreciate your help very much with this issue, which is more 
complicated than maybe either of us would have expected.

I set up a VPN profile for the new gateway with RSA token manually 
entered. That seems to behave the same as the build of openconnect 6.00 
that I tested earlier from shell. The GUI doesn't have anywhere to enter 
the 2nd password, even assuming correct 1st password (derived from 
token). I will test again from the command line and using the newest 
source when I get a chance.

Unless openconnect can be told to require a 2nd password, and if it does 
not detect that the server expects additional user input, authentication 
will always fail. One complication is that the accounts lock out after 
very few failed attempts.

It looks like stoken (this build anyway) generates a 6-digit code that 
is almost an arithmetic sum of PIN+tokencode, not carried. That is, if I 
set the PIN to 0000, stoken generates the same tokencode as the RSA app. 
For the case I am dealing with, the first password is the prefix 
concatenated with the current tokencode. I gather that some VPN gateways 
must combine PIN and tokencode the way stoken does.

--Mark

On 8/3/2014 3:18 AM, Kevin Cernekee wrote:
> I have updated my PPA with new builds for Ubuntu 14.04:
>
> openconnect 6.00 (built from the released tarball)
> network-manager-openconnect 0.9.9.0~20140802 (git commit eaee7e917694eed)
> stoken 0.8~20140802 (git commit ba44603cd5816)
>
> These all seem to be working OK for me so far.  Of course, since I
> used the official 6.00 sources, there isn't support for the
> experimental "PIN prompt on PINless tokens" patch I posted earlier.
> You would need to replace your local libopenconnect.so.3 with the
> patched version to try that out.
>
> AFAICT, there is no "0.9.10" release of network-manager-openconnect
> yet.  Only NetworkManager.
>
> As for the auth handshake problem - I would suggest setting up a MITM
> proxy to see where AnyConnect and OpenConnect diverge.  That is how I
> debugged the initial XML POST growing pains.
>



More information about the openconnect-devel mailing list