HOTP not autofilled in login form

Daniel Lenski dlenski at gmail.com
Tue Jun 23 13:58:08 EDT 2020


On Tue, Jun 23, 2020 at 7:43 AM Ash Holland <ash at sorrel.sh> wrote:
> It looks like the patch referred to in
> https://lists.infradead.org/pipermail/openconnect-devel/2018-April/004824.html
> would go some way towards fixing this, by at least allowing
> openconnect to consider forms called frmLogin when generating a 2FA
> code. Is there any progress on getting that or a similar patch merged?

The issue that I had with that patch is that "frmLogin" is the name of
the *default* Juniper login form:
https://lists.infradead.org/pipermail/openconnect-devel/2018-April/004825.html

Most Juniper VPNs that use 2FA, as far as I know, use "frmLogin" for
the regular password, and then frmNextToken/frmTotpToken/frmDefender
as a separate form for the 2FA password/code. If we had applied that
patch as-is, it would've caused us to fill the 2FA code in the
password field of frmLogin, which is (usually) wrong.

Your example is different from the one that motivated the prior patch,
I believe. I haven't seen one like it before. The 2FA field is jammed
into the main form, but with a name that isn't the standard
"password."

Your case could be handled with logic that says… "If the form is named
frmLogin, and there is a SECOND password field (or perhaps one with
name != 'password'), then try filling the token code in THAT field."

Want to take a crack at writing a patch for it?

-Dan



More information about the openconnect-devel mailing list