[RFE] Provide next code token

[scaronni]

Our company RSA enabled Anyconnect client often asks as the next code token every once in a while as a "security measure". This currently involves waiting for the timeout to expire and for the next code to appear.

Would it be possible to have the next token code printed along the main one? This feature is available in RSA's official Windows Software Token code.

Thanks & regards, --Simone

[cernekee]

Would it be possible to have the next token code printed along the main one?

Are you referring to the stoken-gui client or the CLI?

In the "stoken-gui --small" layout there is not much room, but in the full sized layout we could probably squeeze it in somewhere. This is how I handled it on Android:

https://github.com/cernekee/EasyToken/blob/master/screenshots/screenshot-3.png

The "copy" button only copies the main tokencode, but at least the next tokencode is always visible for the somewhat rare occasions when it is needed. RSA does things a little differently in that you click a button to switch between current tokencode mode and next tokencode mode.

Our company RSA enabled Anyconnect client often asks as the next code token

FWIW, openconnect autodetects this condition and automatically sends the next tokencode if it sees a prompt containing "next tokencode":

    if (vpninfo->token_tries == 0) {
        vpn_progress(vpninfo, PRG_DEBUG,
                 _("OK to generate INITIAL tokencode\n"));
        vpninfo->token_time = 0;
    } else if (vpninfo->token_tries == 1 && form->message &&
           strcasestr(form->message, "next tokencode")) {
        vpn_progress(vpninfo, PRG_DEBUG,
                 _("OK to generate NEXT tokencode\n"));
        vpninfo->token_time += 60;

(The final line does need to get updated since libstoken supports 30-second tokens now.)

[scaronni]

The android example is fine, if you can add the next code to the "full" gui in the remaining space, even without the copy button, that is enough. It does not happen very often.

Regarding openconnect, it does not work for me; in fact it's printing "next code token".

[cernekee]

The android example is fine, if you can add the next code to the "full" gui in the remaining space, even without the copy button, that is enough. It does not happen very often.

Could you try out the stoken -next branch and let me know what you think?

Regarding openconnect, it does not work for me; in fact it's printing "next code token".

So the prompt you're seeing on the gateway is different from what openconnect expects?

I was a little worried about this as the prompts are configurable (and presumably could be translated too). Not sure if there is a reliable way to detect variations of the "next tokencode" prompt.

[scaronni]

On 20 July 2014 01:00, Kevin Cernekee notifications@github.com wrote:

The android example is fine, if you can add the next code to the "full" gui in the remaining space, even without the copy button, that is enough. It does not happen very often.

Could you try out the stoken -next branch and let me know what you think?

Tried it, that is awesome, thanks! Is it still compatible with gtk2? I maintain it also for RHEL 6 which only has gtk2, so if it's gtk3 only I will leave 0.6 in that branch and update RHEL 7 and Fedora 19+ with 0.8. Can I expect it to be merged into master soon?

Regarding openconnect, it does not work for me; in fact it's printing "next code token".

So the prompt you're seeing on the gateway is different from what openconnect expects?

I was a little worried about this as the prompts are configurable (and presumably could be translated too). Not sure if there is a reliable way to detect variations of the "next tokencode" prompt.

Well, I did not even know that openconnect parses the responses and tries to insert the next code automatically until you showed me the block of code. In my opinion it would be better if openconnect would stick to the default AnyConnect behaviour, i.e. ask for the next code interactively.

David Woodhouse has enabled stoken integration in NetworkManager-openconnect in Fedora, I will check with him.

Thanks & regards, --Simone

You cannot discover new oceans unless you have the courage to lose sight of the shore (R. W. Emerson).

http://xkcd.com/229/ http://negativo17.org/

[cernekee]

Is it still compatible with gtk2?

Hmm, I didn't really give this much thought. Do you see a lot of packages that can be built for either gtk2 or gtk3?

FWIW, when I edit the .ui files in Glade and select the compatibility radio button, the range is from 3.0 to 3.10. So it isn't clear what is necessary to make a .ui file that works with earlier versions of the library.

Can I expect it to be merged into master soon?

Yeah, I was going to push it out to a few systems through my PPA and allow a few days to work out any obvious bugs first.

In my opinion it would be better if openconnect would stick to the default AnyConnect behaviour, i.e. ask for the next code interactively.

Are you comparing openconnect to an AnyConnect version that integrates with the RSA token software? I believe this can be configured under Windows, but I haven't tried it.

Worst case, if the string doesn't match, it will fall back to prompting anyway...

[scaronni]

On 21 July 2014 17:19, Kevin Cernekee notifications@github.com wrote:

Is it still compatible with gtk2?

Hmm, I didn't really give this much thought. Do you see a lot of packages that can be built for either gtk2 or gtk3?

FWIW, when I edit the .ui files in Glade and select the compatibility radio button, the range is from 3.0 to 3.10. So it isn't clear what is necessary to make a .ui file that works with earlier versions of the library.

Some are. HandBrake for example, it just dropped GTK 2 support in SVN trunk. Before that, it was buildable with both. No problem though, I will leave 0.6 in RHEL 6 for the time being.

Thanks, --Simone

You cannot discover new oceans unless you have the courage to lose sight of the shore (R. W. Emerson).

http://xkcd.com/229/ http://negativo17.org/

[apottere]

Sorry to neco this issue, but is there a solution for this in the cli? stoken tokencode --help doesn't seem to have anything related to displaying the "next" token.

[cernekee]

Try stoken tokencode --next

[apottere]

awesome, thanks!