unable to use RSA SecureID on Unbuntu 14.04 LTS 64 bit

Kevin Cernekee cernekee at gmail.com
Wed Aug 6 22:06:31 PDT 2014 

On Wed, Aug 6, 2014 at 3:26 PM, Mark Kolmar <mark at burningrome.com> wrote:
> I updated the packages using the PPA. The VPN GUI (top right) works now. I
> appreciate your help very much with this issue, which is more complicated
> than maybe either of us would have expected.
>
> I set up a VPN profile for the new gateway with RSA token manually entered.
> That seems to behave the same as the build of openconnect 6.00 that I tested
> earlier from shell. The GUI doesn't have anywhere to enter the 2nd password,
> even assuming correct 1st password (derived from token). I will test again
> from the command line and using the newest source when I get a chance.
>
> Unless openconnect can be told to require a 2nd password, and if it does not
> detect that the server expects additional user input, authentication will
> always fail. One complication is that the accounts lock out after very few
> failed attempts.

Well, the best bet for debugging a missing auth prompt is to provide
the gateway hostname, but if that isn't possible maybe you could post
the ASA configuration ("show run" output) so I could try it locally on
my device?

> It looks like stoken (this build anyway) generates a 6-digit code that is
> almost an arithmetic sum of PIN+tokencode, not carried. That is, if I set
> the PIN to 0000, stoken generates the same tokencode as the RSA app.

Right - most software tokens seem to use PIN mode 2, which enables
this behavior.

If you load up the RSA app on a smartphone, you can import a random
token generated with:

stoken export --random --show-qr

This should handle the PIN the same way (addition with no carry).

Did the PIN handling on your token change from a previous version of
stoken?  I am testing a PIN mode 0 token locally and there is no PIN
prompt:

$ stoken show --file /tmp/six.sdtid
Serial number           : 265203609830
Encrypted w/password    : no
Encrypted w/devid       : no
Expiration date         : 2015/10/27
Key length              : 128
Tokencode digits        : 6
PIN mode                : 0
Seconds per tokencode   : 60
App-derived             : no
Feature bit 4           : no
Time-derived            : yes
Feature bit 6           : no
$ stoken tokencode --file /tmp/six.sdtid
173732
-------------- next part --------------
A non-text attachment was scrubbed...
Name: six.sdtid
Type: application/octet-stream
Size: 1535 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140806/cd51672f/attachment.obj>

More information about the openconnect-devel mailing list