reverse password and secondary_password?
Dave Walker
email at daviey.com
Tue Jan 30 04:24:14 PST 2018
On 29 January 2018 at 15:19, David Woodhouse <dwmw2 at infradead.org> wrote:
>
>
> On Mon, 2018-01-29 at 15:07 +0000, Dave Walker wrote:
>>
>> The password and secondary_password are reversed.
>>
>> On this page it states the ordering:
>> http://www.infradead.org/openconnect/token.html
>>
>> "SecurID token codes will automatically fill in the primary password
>> field in the authentication form presented by the server" .. "This
>> behaviour is empirically determined by the requirements of the servers
>> that we have tested with; if you find a configuration in which it is
>> not appropriate, please let us know."
>>
>> This mail is letting you know... is there a workaround?
>
> I think we should patch the code to use a 'secondary_password' field
> *if* it exists, and 'password' otherwise. That will require a slightly
> non-trivial modification to the cstp_can_gen_tokencode() function in
> auth.c, because now it's no longer *purely* a function of the one
> option it's being asked to consider. But not *so* hard... patches
> welcome :)
Hi David,
Thanks for your feedback.
I've not had the time to do a proper fix, but I can confirm that
locally running this patch makes it work in /my/ environment.
I hope to get a supportable patch together that I can submit, but I am
not confident I can do so in the near term.
--- a/auth.c
+++ b/auth.c
@@ -886,7 +886,7 @@ static int cstp_can_gen_tokencode(struct
openconnect_info *vpninfo,
#ifdef HAVE_LIBSTOKEN
if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) {
- if (strcmp(opt->name, "password") &&
+ if (strcmp(opt->name, "secondary_password") &&
strcmp(opt->name, "answer"))
return -EINVAL;
return can_gen_stoken_code(vpninfo, form, opt);
--
Kind Regards,
Dave Walker
More information about the openconnect-devel
mailing list