password/secondary_password mixed up with rsa token + passwd-on-stdin still prompting for password

Keith Johnson blackhole at ubergeek42.com
Thu Dec 28 08:53:47 PST 2017 

I have a couple of problems I'm hoping to get some help with.

First, openconnect is sending my token in the wrong field; the server
I'm connecting to expects it in the secondary_password field. I can
connect fine when entering the credentials manually. Is there a way to
specify the field to use for the token? Or to switch them around?

Secondly, even when using --passwd-on-stdin, I am prompted for a
password. I'm not sure if this is related to the mixup above. Stoken
is configured with no password and the pin is stored; I can run
`stoken` and it prints out a token with no interaction required.

Here's the command I'm running, and the output I'm seeing(with things
redacted of course):

echo 'password' | openconnect --user=myusername --token-mode=rsa
https://myserver.tld/ --passwd-on-stdin -vvvv --timestamp
--dump-http-traffic

[2017-12-28 16:24:16] Soft token init was successful.
[2017-12-28 16:24:16] POST REDACTED
[2017-12-28 16:24:16] Attempting to connect to server REDACTED:443
[2017-12-28 16:24:16] SSL negotiation with REDACTED
[2017-12-28 16:24:16] Connected to HTTPS on REDACTED
[2017-12-28 16:24:16] > POST REDACTED HTTP/1.1
[2017-12-28 16:24:16] > Host: REDACTED
[2017-12-28 16:24:16] > User-Agent: Open AnyConnect VPN Agent v7.06
[2017-12-28 16:24:16] > Accept: */*
[2017-12-28 16:24:16] > Accept-Encoding: identity
[2017-12-28 16:24:16] > X-Transcend-Version: 1
[2017-12-28 16:24:16] > X-Aggregate-Auth: 1
[2017-12-28 16:24:16] > X-AnyConnect-Platform: linux-64
[2017-12-28 16:24:16] > X-Support-HTTP-Auth: true
[2017-12-28 16:24:16] > X-Pad: 00000000000000000000000
[2017-12-28 16:24:16] > Content-Type: application/x-www-form-urlencoded
[2017-12-28 16:24:16] > Content-Length: 233
[2017-12-28 16:24:16] >
[2017-12-28 16:24:16] > <?xml version="1.0" encoding="UTF-8"?>
[2017-12-28 16:24:16] > <config-auth client="vpn" type="init"><version
who="vpn">v7.06</version><device-id>linux-64</device-id><group-access>REDACTED</group-access></config-auth>
[2017-12-28 16:24:16] Got HTTP response: HTTP/1.1 200 OK
[2017-12-28 16:24:16] Content-Type: text/html; charset=utf-8
[2017-12-28 16:24:16] Transfer-Encoding: chunked
[2017-12-28 16:24:16] Cache-Control: no-cache
[2017-12-28 16:24:16] Pragma: no-cache
[2017-12-28 16:24:16] Connection: Keep-Alive
[2017-12-28 16:24:16] Date: Thu, 28 Dec 2017 16:24:16 GMT
[2017-12-28 16:24:16] X-Frame-Options: SAMEORIGIN
[2017-12-28 16:24:16] X-Aggregate-Auth: 1
[2017-12-28 16:24:16] HTTP body chunked (-2)
[2017-12-28 16:24:16] < <?xml version="1.0" encoding="UTF-8"?>
[2017-12-28 16:24:16] < <config-auth client="vpn" type="auth-request">
[2017-12-28 16:24:16] < <opaque is-for="sg">
[2017-12-28 16:24:16] < <tunnel-group>REDACTED</tunnel-group>
[2017-12-28 16:24:16] < <config-hash>REDACTED</config-hash>
[2017-12-28 16:24:16] < </opaque>
[2017-12-28 16:24:16] < <auth id="main">
[2017-12-28 16:24:16] < <title>Login</title>
[2017-12-28 16:24:16] < <message>Please enter your username and
password.</message>
[2017-12-28 16:24:16] < <banner></banner>
[2017-12-28 16:24:16] < <form>
[2017-12-28 16:24:16] < <input type="text" name="username"
label="Username:"></input>
[2017-12-28 16:24:16] < <input type="password" name="password"
label="Password:"></input>
[2017-12-28 16:24:16] < <input type="password"
name="secondary_password" label="Password:"></input>
[2017-12-28 16:24:16] < </form>
[2017-12-28 16:24:16] < </auth>
[2017-12-28 16:24:16] < </config-auth>
[2017-12-28 16:24:16] OK to generate INITIAL tokencode
[2017-12-28 16:24:16] XML POST enabled
Please enter your username and password.
Password:
fgets (stdin): Inappropriate ioctl for device

If I don't use the password on stdin and type it in manually, then the
first attempt at entering my password fails, I see the request
openconnect made gets and uses a correct token for the <password> field
and my password for the <secondary_password> field, then logs a line
saying it failed and makes me enter my credentials manually:

[2017-12-28 16:35:05] Server is rejecting the soft token; switching to
manual entry
Login failed.
Please enter your username and password.
Username: <MYUSERNAME>
Password: <MYPASSWORD>
Password: <MYTOKEN>

This connection request uses my password for the <password> field, and
my token for the <secondary_password> field, and connects just fine.
So I know all the pieces are working, but I'm trying to have this come
up without any interaction required.

My system:
Ubuntu 16.04.3 LTS
Openconnect 7.06-2build2 (From the official universe ubuntu package repository)

Let me know if there are any other details I can provide.

Thanks in advance for any help!
Keith

More information about the openconnect-devel mailing list