One-time password prompt problem

[tcrespog]

Hi, I'm using openfortivpn on Linux Mint 19 (Ubuntu 18.04).

I want to connect to a VPN that asks for a code contained in a code card after the user's password is given. Using the FortiClient SSL VPN client to connect the following output is shown:

$ /opt/forticlient-sslvpn/64bit/forticlientsslvpn_cli --server ... --vpnuser ... Password for VPN: STATUS::Setting up the tunnel STATUS::Connecting... ... Enter code 7:

As you can see, the last line asks for a code corresponding to the 7th position in the code card. When I enter the code the connection is established.

However, when I try to connect using openfortivpn, a "one-time password" is asked for, but the code request output is not shown and I'm not able to see what code I must enter:

openfortivpn ...:443 --username=... --trusted-cert ... WARN: Bad port in config file: "0". VPN account password: WARN: This process was not spawned with root privileges, this will probably not work. INFO: Connected to gateway. Please enter one-time password:

What can I do in order to bypass this problem?

[mrbaseman]

When started with '-v -v' all traffic of the authentication is shown in latest versions of openfortivpn. Could you capture the http code around the question for 'code 7', please (be sure to remove sensitive information like passwords etc.)? Then we can include this feature in the future.

[tcrespog]

I've realized that the openfortivpn available for the Linux Mint 19 distro repositories is 1.6.0. I've been trying to install 1.8.1 and 1.7.1 from source, but I get the following output after running ./configure:

checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking for gcc... gcc checking whether the C compiler works... no configure: error: in /home/user/Programs/openfortivpn-1.8.1': configure: error: C compiler cannot create executables Seeconfig.log' for more details

Maybe this is a different issue, but I'm not able to install a recent version due to this. Any ideas?

[DimitriPapadopoulos]

You're lacking some “dev” packages that are required to build executables. I'm not familiar with Mint but since it is similar to Debian and Ubuntu you could try:

sudo apt install build-essential

As noted in the error message, more detailed information in config.log.

[tcrespog]

After installing build-essential I was able to install openfortivpn 1.8.1:

$ openfortivpn --version
1.8.1

I've been able to connect and this is the debug output just before the one-time password is requested:

INFO:   Connected to gateway.
DEBUG:  http_send: 
POST /remote/logincheck HTTP/1.1
Host: mhisecure.melia.com:443
User-Agent: Mozilla/5.0 SV1
Accept: text/plain
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
Cookie: 
Content-Length: 94
username=...&credential=...&realm=&ajax=1&redir=%2Fremote%2Findex&just_logged_in=1
DEBUG:  http_receive: 
HTTP/1.1 401 Authorization Required
Content-Length: 1310
Keep-Alive: timeout=5, max=1000
Connection: Keep-Alive
Cache-Control: no-cache
Content-Type: text/html
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="cache-control" content="must-revalidate">
<meta http-equiv="cache-control" content="no-store">
<title>Authentication Required</title>
<link href="/sslvpn/css/ssl_style.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/lang/en.js"></script></head>
<BODY class=main><CENTER>
<TABLE class=container align=center valign=middle width=100% height=100% cellpadding=0 cellspacing=0>
<TR align=center><TD>
<TABLE border=0 width=400 height=200 cellpadding=10 cellspacing=5 align=center>
<FORM ACTION="/remote/logincheck" method="POST">
<TR align=center valign=middle><TD colspan=2><b>Enter code 12:</b></TD></TR>
<INPUT TYPE="hidden" NAME="magic" VALUE="4tinet2095866">
<INPUT TYPE="hidden" NAME="username" VALUE="lxsc006">
<INPUT TYPE="hidden" NAME="reqid" VALUE="1147322648">
<INPUT TYPE="hidden" NAME="grpid" VALUE="5,30989,0">
<TR><TD width=30%><b>Answer:</b></TD>
<TD width=70%>
<INPUT TYPE="password" NAME="credential">
</TD></TR>
<TR align=center><TD colspan=2>
<INPUT class="button" TYPE="submit" VALUE="OK">
</TD></TR>
</FORM>
</TABLE>
</TD></TR></TABLE>
</CENTER></BODY></HTML>
Please enter one-time password:

Thank you.

[mrbaseman]

So there is a sequence Enter Code %d: which we have to capture somehow... perhaps the string is translated also, but perhaps we start with this one and then we'll see which new variants are going to appear in the field ;)

[mrbaseman]

@tcrespog could you try out my 2fa_code branch, please? I hope this picks the correct prompt out of the http code for you.

[mrbaseman]

If it works, we should perhaps add a config file option to specify a search string. So far the assumption is that the prompt starts with 'Please'. I have added a fallback on 'Enter' before the default prompt 'Please enter one-time password:' is chosen.

[mrbaseman]

I have added an option '--otp-prompt' to my branch.

376 is related. It introduces a configurable delay between the first login attempt and the submission of the one time password and involves changes in the same code regions. Maybe it makes sense to apply both in one release, but it probably needs to be merged manually.

[tcrespog]

Hi, to be honest with you the "Enter code " is in another language, I translated it for the issue. I'm sorry for not specifying it before.

On the other hand, what does the new functionality do? Does it extract the code and automatically enters it? Or does it just show the code?

Thank you for your dedication.

[mrbaseman]

Hi @tcrespog

openfortivpn can not automatically enter the code. You have to look up the code to enter in your code card. But you need to know which one. Therefore, the correct OTP prompt has to be shown.

openfortivpn simply looks for a string that starts with 'Please' and assumes that this is the OTP prompt. If it does not find anything that matches, it uses the default prompt Please enter one-time password:

My first fix was to look for 'Enter' as well. But when this is already translated a more flexible approach makes more sense. I have added a command line parameter --otp-prompt=Enter where you can specify how the prompt starts. Everything up to the first html tag that follows will be printed out as OTP prompt. There is also a corresponding config file option for that.

Could you test it please?

[tcrespog]

Perfect, I just wanted to clarify that. I'll test it and let you know.

[tcrespog]

I've already tested it. It works like a charm. This is the output without verbose options (also the code request text is translated).

INFO:   Connected to gateway.
Enter code 5
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
INFO:   Got addresses: [<omitted>], ns [<omitted>, <omitted>]
INFO:   negotiation complete
INFO:   negotiation complete
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
INFO:   Adding VPN nameservers...
INFO:   Tunnel is up and running.

[mrbaseman]

Cool, thanks for testing. I have merged the changes into our master branch. They will be in the next release.

[mrbaseman]

The new feature went into the 1.9.0 release