unable to use RSA SecureID on Unbuntu 14.04 LTS 64 bit

Mark Kolmar mark at burningrome.com
Fri Jul 18 10:27:56 PDT 2014

Sanitized output:

$ stoken show
Enter password to decrypt token:
Serial number           : 000123456789
Encrypted w/password    : yes
Encrypted w/devid       : no
Expiration date         : 2099/99/01
Key length              : 128
Tokencode digits        : 6
PIN mode                : 0
Seconds per tokencode   : 60
App-derived             : no
Feature bit 4           : no
Time-derived            : yes
Feature bit 6           : no

The Windows RSA app generates a 6-digit code. It doesn't ask for the PIN 
or a password to protect the token once imported. What the VPN admins 
call the PIN is used as a prefix to the 6-digit code to form the first 
password. It's not clear to me that this so called PIN has exactly the 
same purpose as what stoken or openconnect call a PIN.

It sounds like openconnect will try to use the code generated by stoken, 
whereas in this case it is necessary to use PIN + tokencode as you say. 
It would also be helpful to be able to supply the first password on the 
command line with any string for testing, or try to script it like 

I can try to remove the openconnect and network-manager-openconnect 
packages, make clean, build openconnect 6.00, make install, build 
network manager, make install, something like that. If the terminal 
output has the details you asked about, I will check.

Not that often recently, but I have some experience with porting Unix 
packages in C. I would be able to build changes into my local copy for 
testing, and possibly some light coding.


On 7/17/2014 6:43 PM, Kevin Cernekee wrote:
> On Thu, Jul 17, 2014 at 4:26 PM, Mark Kolmar <mark at burningrome.com> wrote:
>> The way the authentication works in AnyConnect is that I am prompted for a
>> username and two passwords. The first password consists of a PIN (let's say
>> 9999) plus a 6-digit token generated by stoken or RSA SecureID software on
>> Windows. Let's say 123456. So the first password is like 9999123456. The 2nd
>> password I think is just the Active Directory / LDAP password for the
>> username. I used the token generated from stoken to connect successfully
>> using AnyConnect in Windows. But I am not sure how to use these two
>> passwords in OpenConnect, or whether this scenario is supported.
> When you run "stoken show", what PIN mode does it report?
> If you import your token seed into a mobile phone or the Windows RSA
> app, does it prompt you for a PIN or does it immediately produce a
> 6-digit code upon launch?
> I suspect that we may need to extend the stoken API to tell
> openconnect that it needs to concatenate PIN + tokencode = passcode.
> This is a common way of using hard tokens, but many soft tokens are
> set up to generate an 8-digit tokencode that already incorporates the
> PIN.
>> I gave up on NetworkManager-OpenConnect 0.9.10 because the GUI under Network Connections -> VPN was unavailable.
> Hmm, that's not so good either.  When you linked nm-openconnect
> 0.9.10, was the latest libopenconnect.so.3 from the 6.00 release
> already installed on your system?  Or is there a possibility that it
> got built against the old libopenconnect.so.2?

More information about the openconnect-devel mailing list