VPN gateway requests two passwords.
Chaskiel Grundman
cg2v at andrew.cmu.edu
Mon Sep 27 17:03:20 EDT 2010
> The text version of process_auth_form() is an abomination. I suspect we
> should ditch the SecurID support, ditch the static buffers, and
> dynamically allocate buffers and use UI_add_input_string() for each
> required entry.
Here's my work-in-progress for this issue. I'd actually consider it
complete (apart from not removing the now-unused securid stuff) if I had
not discovered a different bit of strangeness in cmu's gateway.
The gateway has 3 vhosts and four vpn groups..
One vhost has a vanilla form with one username field, one password field,
and no choices.
<form method="post" action="/+webvpn+/index.html">
<input type="text" name="username" label="Username:" />
<input type="password" name="password" label="Password:" />
<input type="hidden" name="tgroup" value="SCS-VPN" />
<input type="submit" name="Login" value="Login" />
<input type="reset" name="Clear" value="Clear" />
</form>
One vhost (the one I'm going to be using most often) has one username field,
two password fields, and no choices. The cisco client prompts for
"Username", "Password", and "Second Password".
<form method="post" action="/+webvpn+/index.html">
<input type="text" name="username" label="Username:" />
<input type="password" name="password" label="Password:" />
<input type="password" name="secondary_password" label="Password:"
second-auth="1" />
<input type="hidden" name="tgroup" value="SII-PRIV" />
<input type="submit" name="Login" value="Login" />
<input type="reset" name="Clear" value="Clear" />
</form>
The last vhost, which is intended for the widest audience and serves two
vpn groups, has two username fields, two password fields, and a choice.
The cisco client prompts for Group, Username, and Password
<form method="post" action="/+webvpn+/index.html">
<input type="text" name="username" label="Username:" />
<input type="password" name="password" label="Password:" />
<input type="text" name="secondary_username" label="Username:"
second-auth="1" />
<input type="password" name="secondary_password" label="Password:"
second-auth="1" />
<select name="group_list" label="GROUP:">
<option value="GENERAL-USE-VPN" noaaa="0" >General Use Campus
VPN</option><option value="LIBRARY-VPN" noaaa="0" >Library Resources
VPN</option></select>
<input type="submit" name="Login" value="Login" />
<input type="reset" name="Clear" value="Clear" />
</form>
It appears in this case that the secondary* fields are not used at all
(If a valid username and password are sent in the 'username' and
'password' fields, the connection succeeds, no matter which group is
chosen and no matter what is sent in the 'secondary_username' and
'secondary_password' fields. If an invalid combination is sent in
'username' and 'password' , the connection fails, also no matter what is
in the other fields)
I'm not sure what we should be keying off of to decide what should be done
I have not yet tested this vhost with network manager to see what it does.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openconnect-text-multiprompt.diff
Type: text/x-diff
Size: 5973 bytes
Desc:
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20100927/106440d3/attachment.bin>
More information about the openconnect-devel
mailing list