Possibility to omit saving credentials to keyring for OTP auth

[nut-3]

Hi, My company uses OTP for vpn authentication and I have a problem reconnecting, because snx-rs forcibly stores password into keyring in command mode. First problem - password stored even if authentication failed, so following login attempts do not provie password prompt. Second problem - even if authentication was successful, on following connections snx-rs uses old OTP stored in keyring and it fails.

I see several approaches to solving problems above:

• Introduce option to omit using keyring. This one is quite simple to implement
• Introduce logic to clear keyring record in case of failed login attempt. It would be nice to relogin in background with credentials provided through configuration or command line prompt. Failed login vpn response in my case is Error: [101 CPSC_SECURID_USER_DENIED] Access denied - wrong user name or password.
• Somehow figure out which auth type is used (OTP or password) and make decision to store or not password in keyring. Don't think this one is doable, but worth mentioning. In my case login_options_list has following items:
  login_options_list

[
      {
        "display_name": "RSA",
        "factors": [
          {
            "certificate_storage_type": "",
            "custom_display_labels": {
              "header": "\"Please provide User name, PIN Code and Tokencode from your RSA application\"",
              "password": "\"Pin Code\"",
              "username": "\"User name\""
            },
            "factor_type": "securid",
            "securid_card_type": "keyfob"
          }
        ],
        "id": "vpn_RSA",
        "secondary_realm_hash": "...",
        "show_realm": 1
      },
      {
        "display_name": "Indeed",
        "factors": [
          {
            "certificate_storage_type": "",
            "custom_display_labels": {
              "header": "\"Additional authentication required, please provide password to authenticate\"",
              "password": "\"OTP from your indeed app\"",
              "username": "\"User name\""
            },
            "factor_type": "password",
            "securid_card_type": ""
          },
          {
            "certificate_storage_type": "",
            "custom_display_labels": {
              "header": "\"You must enter your AD account password\"",
              "password": "\"Domain Password\"",
              "username": "\"Domain Password\""
            },
            "factor_type": "password",
            "securid_card_type": ""
          }
        ],
        "id": "vpn_Indeed",
        "secondary_realm_hash": "...",
        "show_realm": 1
      },
      {
        "display_name": "Standard",
        "factors": [
          {
            "certificate_storage_type": "",
            "custom_display_labels": "",
            "factor_type": "securid",
            "securid_card_type": "any"
          }
        ],
        "id": "vpn",
        "secondary_realm_hash": "...",
        "show_realm": 1
      }
    ]

Both Indeed and RSA have OTP auth, but Indeed also requires to provide account password.

[ancwrd1]

I think an additional option to disable keyring is the simplest one. Checkpoint has a lot of options and I was mostly relying on the implementation we use in the company which is convenient for me personally :)