appending OATH code to password?
Daniel Lenski
dlenski at gmail.com
Fri Dec 18 11:23:45 PST 2015
Hi all,
I frequently connect to a VPN that uses TOTP-based 2FA. The TOTP code
*must* be entered by appending it to the user-entered password.
>From the command line I can jury-rig a way to do this:
# (echo -n MYPASSWORD; oathtool --totp TOTP_SECRET) | openconnect -u
USERNAME vpn-gateway.client.com --passwd-on-stdin
Per the cstp_can_gen_tokencode() function
(http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/auth.c#l87
3), OpenConnect generates OATH TOTP/HOTP codes *only* in response to a form
field named secondary_password, and generates SecurID codes *only* in
response to a form field named "password" or "answer".
I think it'd be useful to offer an option to customize the form field that
receives OATH or SecurID code, perhaps including the option to append the
token to another field.
I'm imagining something like this, where --token-field=+password means:
append the token to the "password" field.
# openconnect -u USERNAME vpn-gateway.client.com --token-mode=totp --token-
secret=TOTP_SECRET \
--token-field=+password
If this would be a desirable feature, I'll take a crack at writing a patch
for it.
Thanks,
Dan Lenski
More information about the openconnect-devel
mailing list