Re: [PATCH] Fix stoken support for Juniper VPN
David, This is the stoken patch that you asked about on my other thread. Thanks, Andy On Fri, Sep 7, 2018 at 10:49 AM Andy Wang wrote: > > Ensure stoken seed is properly prepared using block copied from Cisco > VPN support in auth.c > > Signed-off-by: Andy Wang > --- > auth-juniper.c | 8 > 1 file changed, 8 insertions(+) > > diff --git a/auth-juniper.c b/auth-juniper.c > index 30ceb3ae..bc560823 100644 > --- a/auth-juniper.c > +++ b/auth-juniper.c > @@ -576,6 +576,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo) > char *form_id = NULL; > int try_tncc = !!vpninfo->csd_wrapper; > > +#ifdef HAVE_LIBSTOKEN > +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) { > +ret = prepare_stoken(vpninfo); > +if (ret) > +goto out; > +} > +#endif > + > resp_buf = buf_alloc(); > if (buf_error(resp_buf)) > return -ENOMEM; > -- > 2.17.1 > ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: Complicated web login flows with Pulse Secure VPN
On Sun, Nov 4, 2018 at 11:55 AM David Woodhouse wrote: > > Remind me of those please. As I prepare for the 8.0 release it would be > good to pull those in unless they're completely horrible hacks specific > to your setup. > The second patch I mentioned was a pretty bad hack (especially after discussing it with Daniei Lenski). Worked for me but definitely not the right solution. The issue is my work vpn used the same loginForm form ID for both password and stoken input. So there was no easy way to distinguish the two and I made an ugly hack that worked but results failed login attempts as it tries the token id as the password field. I'll re-send the stoken patch request and add you to the thread so you can see that one. > > It's been talked about, repeatedly :) > > The first step is to add a 'webview' callback method which the GUI > authentications can implement, which bypasses the current hackish HTML > screen-scraping. That much is relatively easy, in fact, but then we'd > need to do the WebKitGtk stuff inside the NetworkManager auth-dialog > for GNOME and KDE, etc. > > If there's a volunteer for the latter, I could certainly put together > the former. I'm just not that keen on throwing together the API change > for the webview callback without properly testing it. I'd definitely be interested, but I haven't done any C/C++ programming in nearly 2 decades now :) If I get some time on this I might try to dust off the rust and see how I can do with it, but I'm not counting on making any real headway at least not soon. If I get some serious time I'll let you know. Thanks for the info, Andy ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Complicated web login flows with Pulse Secure VPN
I was, up until very recently, using openconnect and NetworkManager-openconnect to connect to my work VPN. I had a private hack to make the stoken stuff work (it was submitted in an email on this list) as well as another hack to deal with our token form not having the same expected form type. A couple of weeks ago we moved to a whole new login flow, where we now are redirected to a saml login page for authentication and then prompted to choose one of two types of MFA access - token code or mobile application notification based. With the more complicated flow I've had to switch back to the pulse secure client which embeds a webkitgtk UI to handle those flows. Just curious but is there anyone working on some similar flow support with NetworkManager-openconnect? I'm guessing that this type of authentication is way outside of the scope of openconnect's built in html client. (Pulse Secure's cli client can't handle this login flow either). Unfortunately I'm so removed from c/c++ programming that I wouldn't even know where to begin on something like this, but just wondering if there's anything on the horizon I can help with, even if it's just being able to test stuff. Thanks, ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [PATCH] Fix stoken support for Juniper VPN
Per the discussion I had on a much older attempt to patch this with Daniel Lenski, I pulled out the not-so-great attempt to fix the form field for the token support and just patched the prepare_stoken chunk that's required for the token to work. Thanks, Andy On Fri, Sep 7, 2018 at 10:49 AM Andy Wang wrote: > > Ensure stoken seed is properly prepared using block copied from Cisco > VPN support in auth.c > > Signed-off-by: Andy Wang > --- > auth-juniper.c | 8 > 1 file changed, 8 insertions(+) > > diff --git a/auth-juniper.c b/auth-juniper.c > index 30ceb3ae..bc560823 100644 > --- a/auth-juniper.c > +++ b/auth-juniper.c > @@ -576,6 +576,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo) > char *form_id = NULL; > int try_tncc = !!vpninfo->csd_wrapper; > > +#ifdef HAVE_LIBSTOKEN > +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) { > +ret = prepare_stoken(vpninfo); > +if (ret) > +goto out; > +} > +#endif > + > resp_buf = buf_alloc(); > if (buf_error(resp_buf)) > return -ENOMEM; > -- > 2.17.1 > ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
[PATCH] Fix stoken support for Juniper VPN
Ensure stoken seed is properly prepared using block copied from Cisco VPN support in auth.c Signed-off-by: Andy Wang --- auth-juniper.c | 8 1 file changed, 8 insertions(+) diff --git a/auth-juniper.c b/auth-juniper.c index 30ceb3ae..bc560823 100644 --- a/auth-juniper.c +++ b/auth-juniper.c @@ -576,6 +576,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo) char *form_id = NULL; int try_tncc = !!vpninfo->csd_wrapper; +#ifdef HAVE_LIBSTOKEN +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) { +ret = prepare_stoken(vpninfo); +if (ret) +goto out; +} +#endif + resp_buf = buf_alloc(); if (buf_error(resp_buf)) return -ENOMEM; -- 2.17.1 ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [PATCH] Fix stoken support for Juniper VPN
Another follow up on this. Is there something I should change to get this considered for inclusion? Thanks, Andy On Wed, Dec 20, 2017 at 9:05 PM, Andy Wang <do...@moonteeth.com> wrote: > Any thoughts on this? Something I should do different? > > Thanks, > Andy > > On Wed, Nov 22, 2017 at 8:33 PM, Andy Wang <do...@moonteeth.com> wrote: >> Allow using stoken code for frmLogin form type. >> Ensure stoken seed is properly prepared using block copied from Cisco >> VPN support in auth.c >> >> Signed-off-by: Andy Wang <do...@moonteeth.com> >> --- >> auth-juniper.c | 11 ++- >> 1 file changed, 10 insertions(+), 1 deletion(-) >> >> diff --git a/auth-juniper.c b/auth-juniper.c >> index 4b889d6..d818cf3 100644 >> --- a/auth-juniper.c >> +++ b/auth-juniper.c >> @@ -77,7 +77,8 @@ static int oncp_can_gen_tokencode(struct openconnect_info >> *vpninfo, >> >> if (strcmp(form->auth_id, "frmDefender") && >> strcmp(form->auth_id, "frmNextToken") && >> - strcmp(form->auth_id, "ftmTotpToken")) >> + strcmp(form->auth_id, "ftmTotpToken") && >> + strcmp(form->auth_id, "frmLogin")) >> return -EINVAL; >> >> return can_gen_tokencode(vpninfo, form, opt); >> @@ -570,6 +571,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo) >> char *form_id = NULL; >> int try_tncc = !!vpninfo->csd_wrapper; >> >> +#ifdef HAVE_LIBSTOKEN >> +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) { >> +ret = prepare_stoken(vpninfo); >> +if (ret) >> +goto out; >> +} >> +#endif >> + >> resp_buf = buf_alloc(); >> if (buf_error(resp_buf)) >> return -ENOMEM; >> -- >> 2.14.3 >> ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [PATCH] Fix stoken support for Juniper VPN
Any thoughts on this? Something I should do different? Thanks, Andy On Wed, Nov 22, 2017 at 8:33 PM, Andy Wang <do...@moonteeth.com> wrote: > Allow using stoken code for frmLogin form type. > Ensure stoken seed is properly prepared using block copied from Cisco > VPN support in auth.c > > Signed-off-by: Andy Wang <do...@moonteeth.com> > --- > auth-juniper.c | 11 ++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/auth-juniper.c b/auth-juniper.c > index 4b889d6..d818cf3 100644 > --- a/auth-juniper.c > +++ b/auth-juniper.c > @@ -77,7 +77,8 @@ static int oncp_can_gen_tokencode(struct openconnect_info > *vpninfo, > > if (strcmp(form->auth_id, "frmDefender") && > strcmp(form->auth_id, "frmNextToken") && > - strcmp(form->auth_id, "ftmTotpToken")) > + strcmp(form->auth_id, "ftmTotpToken") && > + strcmp(form->auth_id, "frmLogin")) > return -EINVAL; > > return can_gen_tokencode(vpninfo, form, opt); > @@ -570,6 +571,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo) > char *form_id = NULL; > int try_tncc = !!vpninfo->csd_wrapper; > > +#ifdef HAVE_LIBSTOKEN > +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) { > +ret = prepare_stoken(vpninfo); > +if (ret) > +goto out; > +} > +#endif > + > resp_buf = buf_alloc(); > if (buf_error(resp_buf)) > return -ENOMEM; > -- > 2.14.3 > ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect stoken support not working properly with our form
On Mon, Nov 13, 2017 at 11:57 PM, Kevin Cernekeewrote: > > You can delete "Step 1" since oncp_obtain_cookie() isn't annotated the > same way as cstp_obtain_cookie(). > > > This can probably reuse |ret| (otherwise |ret| will be left > uninitialized). Be sure to test the case where the user hits Cancel > on the PIN form, and the case where libstoken returns an error (like > from a missing stokenrc file). > >> +} >> +#endif >> + >> resp_buf = buf_alloc(); >> if (buf_error(resp_buf)) >> return -ENOMEM; Thanks, I can't figure out how line wrap a diff from git for it to be happy with gmail so trying the new patch as an attachment. If the stokenrc file doesn't exist it exits gracefully with Can't open ~/.stokenrc file I'm not sure what you mean by hits cancel on the pin form. There is no UI for that in the command line openconnect right? If you're referring to the networkmanager ui, that was actually my next step. The patched openconnect doesn't work there and I can't figure out why. I have literally no clue what I'm doing looking at the network-manager-openconnect repo. It looks like it mostly uses libopenconnect to interface, but it also appears to exec an openconnect binary without the --token-* arguments. That's where I'm hoping to learn more when I have a bit of time. Andy --- auth-juniper.c | 11 ++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/auth-juniper.c b/auth-juniper.c index 4b889d6..d818cf3 100644 --- a/auth-juniper.c +++ b/auth-juniper.c @@ -77,7 +77,8 @@ static int oncp_can_gen_tokencode(struct openconnect_info *vpninfo, if (strcmp(form->auth_id, "frmDefender") && strcmp(form->auth_id, "frmNextToken") && - strcmp(form->auth_id, "ftmTotpToken")) + strcmp(form->auth_id, "ftmTotpToken") && + strcmp(form->auth_id, "frmLogin")) return -EINVAL; return can_gen_tokencode(vpninfo, form, opt); @@ -570,6 +571,14 @@ int oncp_obtain_cookie(struct openconnect_info *vpninfo) char *form_id = NULL; int try_tncc = !!vpninfo->csd_wrapper; +#ifdef HAVE_LIBSTOKEN +if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) { +ret = prepare_stoken(vpninfo); +if (ret) +goto out; +} +#endif + resp_buf = buf_alloc(); if (buf_error(resp_buf)) return -ENOMEM; ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: openconnect stoken support not working properly with our form
On Sun, Nov 12, 2017 at 11:16 AM, Kevin Cernekeewrote: > I worked on the original stoken integration, but have only ever used > it with Cisco VPNs. It looks like the Juniper logic was updated in > this commit: > > commit 1ff34cb9689fbaf57decac537df1e32e799bb9c7 > Author: Janne Juntunen > Date: Tue Nov 29 22:37:22 2016 + > > Add support for Google Authenticator 2fa on Juniper VPN > > We resently changed our Juniper VPN from SMS 2fa to use Google > Authenticator instead. Before it worked perfectly with "openconnect > --juniper" switch, but after the change all we got was: > > Unknown form ID 'frmTotpToken' > and a dump of the form. > > I spent some time debugging the issue, and managed to write a very > simple fix for it. > > Signed-off-by: Janne Juntunen > Signed-off-by: David Woodhouse > > Maybe the Google Authenticator form (OC_TOKEN_MODE_TOTP) needs to be > handled differently from the RSA SecurID form (OC_TOKEN_MODE_STOKEN). I had done some more digging and adding: + strcmp(form->auth_id, "ftmTotpToken") && + strcmp(form->auth_id, "frmLogin")) gets me part of the way there. The problem is both the 2FA and actual password forms use the same frmLogin form type and type="password" form field. I initially thought that was the only problem so I hacked http.c to set a vpninfo->token_successful (and then skipped generating a token if that was already successful). That still didn't solve my problem and I used --dump-http-traffic and see that the stoken code being sent is completely different than what the stoken command actually generates. I had no idea why that would have been the case. That's where I was last at when I put this aside to get real work done :) Andy ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
openconnect stoken support not working properly with our form
I've been trying to figure out why openconnect's --token-mode support isn't working with my works VPN and I finalliy dug through the source and html forms enough to understand I think. (my C is extremely rusty as it's been well over 10 years since i've actively coded in it) It looks like from the function: static int oncp_can_gen_tokencode(struct openconnect_info *vpninfo, struct oc_auth_form *form, struct oc_form_opt *opt) { if (vpninfo->token_mode == OC_TOKEN_MODE_NONE || vpninfo->token_bypassed) return -EINVAL; if (strcmp(form->auth_id, "frmDefender") && strcmp(form->auth_id, "frmNextToken") && strcmp(form->auth_id, "ftmTotpToken")) return -EINVAL; return can_gen_tokencode(vpninfo, form, opt); } That a token is only used if the form name is frmDefender. frmNextToken or frmTotpToken. Our first login form that expects username/rsa token is frmLogin. Is my work's form unusual and incorrect or is this just a limitation with how openconnect tries to determine the difference in the password field and token form? Any thoughts on ways to make this work? I'm using an expect script to log in to our vpn which works well, but I though it'd be nice to use the built-in token capabilities (and if it does work I could even use NetworkManager's gui). If frmLogin is wrong, any suggestions on where to find this in juniper documentation ? I tried to google the publicly available docs but couldn't find any specifics. Even if their form is wrong, I can pretty much guarantee that they have no interesting in changing it since it's only us "weird" linux users that might be having this problem :) In case it makes a difference I'm using the fedora 26 package: openconnect-7.08-2.fc26.x86_64 Thanks, Andy ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel