unable to use RSA SecureID on Unbuntu 14.04 LTS 64 bit

Kevin Cernekee cernekee at gmail.com
Tue Jul 29 12:05:59 PDT 2014

On Tue, Jul 29, 2014 at 7:35 AM, Mark Kolmar <mark at burningrome.com> wrote:
> I wrote earlier about the need to use a prefix with the token generated from stoken to form a password. When we left off, the idea was to use --token-prefix or similar to allow the PIN/prefix to be specified on the command line, and/or a way to supply the entire first password (prefix+token, or arbitrary string for testing).
> Without this, it will not be possible to authenticate to the company's VPN under Linux. Therefore it would be necessary to purchase a full Windows license, etc., etc.

As a temporary workaround can you run "stoken-gui --small" on your
desktop, and copy/paste the tokencode into the password field when

> This change is probably something I am capable of doing. Would someone be able to offer some hints about where to add code for the command line option and where the first password is formed? Meanwhile, I will see if I can't figure this out. Or is the enhancement already in progress, or maybe even ready to test?

I added a new field in stoken_info to support this use case.  Using
the libstoken API v1.3+, you should be able to do something like:


struct stoken_info *info = stoken_get_info(ctx);
char pin[PASSCODE_PREFIX_LEN + 1] = { 0 };
char tokencode[STOKEN_MAX_TOKENCODE + 1];

if (!info)
        return -EIO;

if (stoken_pin_required(ctx)) {
        prompt("SecurID PIN (required): ", pin, PASSCODE_PREFIX_LEN);
        /* keep prompting until stoken_check_pin() == 0 */
} else if (!info->uses_pin)
        prompt("SecurID PIN (optional): ", pin, PASSCODE_PREFIX_LEN);
/* else: PIN was already fetched from ~/.stokenrc; do not prompt */

if (securid_compute_tokencode(ctx, time(NULL), pin, tokencode))
        return -EIO;

snprintf(passcode, sizeof(passcode), "%s%s",
         info->uses_pin ? "" : pin, tokencode);

I did not find a good way of figuring out whether the token is PINless
(no PIN at all, either prepended or incorporated into the tokencode
computation).  For this case the user will need to enter "" for the
PIN, so the raw tokencode is sent as the passcode.

BTW, if you're going to help update this code, there are a few other
changes needed to support recent libstoken enhancements:

1) The stoken_pin_required() check should be moved after
stoken_decrypt_seed() to support using the new "v3" seeds with
--token-secret.  On "v3" tokens, most of the metadata is encrypted
with the password/devid (if any).  Existing v1/v2 tokens are

2) If --token-secret points to a file, read the file contents into
token_str.  This would allow sdtid (XML) tokens to be used directly;
it may also be helpful in keeping token strings (basically keys) from
showing up in "ps".

More information about the openconnect-devel mailing list