stoken-dev / stoken

RSA SecurID-compatible software token for Linux/UNIX systems
http://stoken.sf.net
GNU Lesser General Public License v2.1
411 stars 78 forks source link

[RFE] Provide next code token #6

Closed scaronni closed 10 years ago

scaronni commented 10 years ago

Our company RSA enabled Anyconnect client often asks as the next code token every once in a while as a "security measure". This currently involves waiting for the timeout to expire and for the next code to appear.

Would it be possible to have the next token code printed along the main one? This feature is available in RSA's official Windows Software Token code.

Thanks & regards, --Simone

cernekee commented 10 years ago

Would it be possible to have the next token code printed along the main one?

Are you referring to the stoken-gui client or the CLI?

In the "stoken-gui --small" layout there is not much room, but in the full sized layout we could probably squeeze it in somewhere. This is how I handled it on Android:

https://github.com/cernekee/EasyToken/blob/master/screenshots/screenshot-3.png

The "copy" button only copies the main tokencode, but at least the next tokencode is always visible for the somewhat rare occasions when it is needed. RSA does things a little differently in that you click a button to switch between current tokencode mode and next tokencode mode.

Our company RSA enabled Anyconnect client often asks as the next code token

FWIW, openconnect autodetects this condition and automatically sends the next tokencode if it sees a prompt containing "next tokencode":

    if (vpninfo->token_tries == 0) {
        vpn_progress(vpninfo, PRG_DEBUG,
                 _("OK to generate INITIAL tokencode\n"));
        vpninfo->token_time = 0;
    } else if (vpninfo->token_tries == 1 && form->message &&
           strcasestr(form->message, "next tokencode")) {
        vpn_progress(vpninfo, PRG_DEBUG,
                 _("OK to generate NEXT tokencode\n"));
        vpninfo->token_time += 60;

(The final line does need to get updated since libstoken supports 30-second tokens now.)

scaronni commented 10 years ago

The android example is fine, if you can add the next code to the "full" gui in the remaining space, even without the copy button, that is enough. It does not happen very often.

Regarding openconnect, it does not work for me; in fact it's printing "next code token".

cernekee commented 10 years ago

The android example is fine, if you can add the next code to the "full" gui in the remaining space, even without the copy button, that is enough. It does not happen very often.

Could you try out the stoken -next branch and let me know what you think?

Regarding openconnect, it does not work for me; in fact it's printing "next code token".

So the prompt you're seeing on the gateway is different from what openconnect expects?

I was a little worried about this as the prompts are configurable (and presumably could be translated too). Not sure if there is a reliable way to detect variations of the "next tokencode" prompt.

scaronni commented 10 years ago

On 20 July 2014 01:00, Kevin Cernekee notifications@github.com wrote:

The android example is fine, if you can add the next code to the "full" gui in the remaining space, even without the copy button, that is enough. It does not happen very often.

Could you try out the stoken -next branch and let me know what you think?

Tried it, that is awesome, thanks! Is it still compatible with gtk2? I maintain it also for RHEL 6 which only has gtk2, so if it's gtk3 only I will leave 0.6 in that branch and update RHEL 7 and Fedora 19+ with 0.8. Can I expect it to be merged into master soon?

Regarding openconnect, it does not work for me; in fact it's printing "next code token".

So the prompt you're seeing on the gateway is different from what openconnect expects?

I was a little worried about this as the prompts are configurable (and presumably could be translated too). Not sure if there is a reliable way to detect variations of the "next tokencode" prompt.

Well, I did not even know that openconnect parses the responses and tries to insert the next code automatically until you showed me the block of code. In my opinion it would be better if openconnect would stick to the default AnyConnect behaviour, i.e. ask for the next code interactively.

David Woodhouse has enabled stoken integration in NetworkManager-openconnect in Fedora, I will check with him.

Thanks & regards, --Simone

You cannot discover new oceans unless you have the courage to lose sight of the shore (R. W. Emerson).

http://xkcd.com/229/ http://negativo17.org/

cernekee commented 10 years ago

Is it still compatible with gtk2?

Hmm, I didn't really give this much thought. Do you see a lot of packages that can be built for either gtk2 or gtk3?

FWIW, when I edit the .ui files in Glade and select the compatibility radio button, the range is from 3.0 to 3.10. So it isn't clear what is necessary to make a .ui file that works with earlier versions of the library.

Can I expect it to be merged into master soon?

Yeah, I was going to push it out to a few systems through my PPA and allow a few days to work out any obvious bugs first.

In my opinion it would be better if openconnect would stick to the default AnyConnect behaviour, i.e. ask for the next code interactively.

Are you comparing openconnect to an AnyConnect version that integrates with the RSA token software? I believe this can be configured under Windows, but I haven't tried it.

Worst case, if the string doesn't match, it will fall back to prompting anyway...

scaronni commented 10 years ago

On 21 July 2014 17:19, Kevin Cernekee notifications@github.com wrote:

Is it still compatible with gtk2?

Hmm, I didn't really give this much thought. Do you see a lot of packages that can be built for either gtk2 or gtk3?

FWIW, when I edit the .ui files in Glade and select the compatibility radio button, the range is from 3.0 to 3.10. So it isn't clear what is necessary to make a .ui file that works with earlier versions of the library.

Some are. HandBrake for example, it just dropped GTK 2 support in SVN trunk. Before that, it was buildable with both. No problem though, I will leave 0.6 in RHEL 6 for the time being.

Thanks, --Simone

You cannot discover new oceans unless you have the courage to lose sight of the shore (R. W. Emerson).

http://xkcd.com/229/ http://negativo17.org/

apottere commented 7 years ago

Sorry to neco this issue, but is there a solution for this in the cli? stoken tokencode --help doesn't seem to have anything related to displaying the "next" token.

cernekee commented 7 years ago

Try stoken tokencode --next

apottere commented 7 years ago

awesome, thanks!