search

theinvisible / openfortigui

VPN-GUI to connect to Fortigate-Hardware, based on openfortivpn
https://hadler.me/linux/openfortigui/
GNU General Public License v3.0
489 stars 54 forks source link

Handle password change request #132

Open tetebueno opened 3 years ago

tetebueno commented 3 years ago

Hi, I really don't know what kind of information to provide since I can't really control the companies' user administration. The point is that all passwords were reseted so I needed to provide a new password upon next connection to the VPN; using OpenFortiGUI I tried connecting and nothing happened. When I tried on a computer with Win, it just popped up a request for changing the password.

So, steps to reproduce:

Expected behaviour:

Actual behaviour:

I'd be glad to provide logs if I knew where to get them.

Please let me know if there's anything else I can provide to help.

Cheers.

danotrampus commented 3 years ago

Same here.

angela-d commented 3 years ago

Are your machines using openfortigui domain-joined?

It sounds like they've initiated a password expiry through something like Active Directory.. so unless your Linux machine is joined to the domain using something like Centrify or similar software, it might have the faculties to know a password expiry has taken place.

Your password prompt on Windows, is coming from the OS, not Forticlient, correct? If so, this is not so much VPN-related, but domain machine related. If that is the case, you will have to hop on a domain-joined machine to update your password.

tetebueno commented 3 years ago

Hi, I'm checking with sysadmins if we're domain-joined. I do know that the password expire was made through AD.

In any case, what I inteded to do was the same I did with FortiClientVPN for Windows; even though I wasn't on the same domain, I got the password renew prompt upon connection.

Maybe I'm missing something for not knowing the details behind Fortinet VPNs' connections, but the idea behind the issue is to be able to replace the Windows client with this project on a Linux box, and this seems to be a difference in behaviours.

theinvisible commented 3 years ago

Hi, thanks for your request.

As @angela-d mentioned i dont now if this works really. We also have domain-joind linux boxes (UCS) but we already get password change request on OS login. We also never tried password change via FortiClient. If this should work via VPN Client the Fortigate must ask for the new password and then forward to AD/LDAP.

This project is based on openfortivpn, so maybe you try first if openfortivpn can handle it. If yes i can try to intercept the request (as like for OTP) and prompt for the new password via GUI. Maybe you can also provide some logs with debug enabled so we can see if fortigate asks for a password.

danotrampus commented 3 years ago

I can confirm that openfortivpn handles the request that prompts for new password upon credentials expiracy, and it also changed my password in AD/LDAP.

Using OpenFortiGUI i get the following logs when i press on connect: INFO: Start tunnel. INFO: Connected to gateway.

The connection never changes his state.

theinvisible commented 3 years ago

Okay, maybe you can post a screenshot with the prompt from openfortivpn, so i can get a glue. Also make sure you enable Debug Log (in VPN Settings), then it should log more verbose.

danotrampus commented 3 years ago

Ok, i will, but first i have to wait until my credentials gets expired. Then i will attempting to login and openfortivpn should promp me for enter a new password. Please do not close this issue. I think my credetencials gets expired in approximately 10 days.

danotrampus commented 3 years ago

As promise, here is the log you requested. Please, note the prompt "Please select a new one:" referred to enter the new password for the domain account:

openfortivpn --version
1.6.0

sudo openfortivpn xxx.xxx.xxx.xxx:yyyy -v -v -u ZZZZZ --no-dns --pppd-no-peerdns --trusted-cert WWWWWWWWWW
WARN:   Bad port in config file: "0".
DEBUG:  Loaded config file "/etc/openfortivpn/config".
VPN account password: 
DEBUG:  Config host = "xxx.xxx.xxx.xxx"
DEBUG:  Config realm = ""
DEBUG:  Config port = "yyyy"
DEBUG:  Config username = "ZZZZZ"
DEBUG:  Config password = "********"
DEBUG:  server_addr: xxx.xxx.xxx.xxx
DEBUG:  server_port: yyyy
DEBUG:  gateway_addr: xxx.xxx.xxx.xxx
DEBUG:  gateway_port: yyyy
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
Please select a new one:
DEBUG:  Error reading from SSL connection (Protocol violation with EOF).
DEBUG:  server_addr: xxx.xxx.xxx.xxx
DEBUG:  server_port: yyyy
DEBUG:  gateway_addr: xxx.xxx.xxx.xxx
DEBUG:  gateway_port: yyyy
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
Two-factor authentication token: 
DEBUG:  Error reading from SSL connection (Protocol violation with EOF).
DEBUG:  server_addr: xxx.xxx.xxx.xxx
DEBUG:  server_port: yyyy
DEBUG:  gateway_addr: xxx.xxx.xxx.xxx
DEBUG:  gateway_port: yyyy
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  Cookie: SVPNCOOKIE=WWWWWWWWWW
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE=WWWWWWWWWW
INFO:   Remote gateway has allocated a VPN.
DEBUG:  server_addr: xxx.xxx.xxx.xxx
DEBUG:  server_port: yyyy
DEBUG:  gateway_addr: xxx.xxx.xxx.xxx
DEBUG:  gateway_port: yyyy
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  pppd_read_thread
DEBUG:  ssl_read_thread
DEBUG:  if_config thread
DEBUG:  ssl_write_thread
DEBUG:  pppd_write thread
DEBUG:  pppd ---> gateway (16 bytes)

DEBUG:  gateway ---> pppd (12 bytes)

.
.
.

DEBUG:  Got Address: xxx.xxx.xxx.xxx
DEBUG:  pppd ---> gateway (6 bytes)
pppd:   80 21 02 67 00 04

DEBUG:  if_config: not ready yet...
DEBUG:  Got Address: xxx.xxx.xxx.xxx
DEBUG:  Interface Name: ppp0
DEBUG:  Interface Addr: xxx.xxx.xxx.xxx
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
DEBUG:  ip route show to 0.0.0.0/0.0.0.0
DEBUG:  Setting route to vpn server...
DEBUG:  ip route add to xxx.xxx.xxx.xxx/255.255.255.255 via xxx.xxx.xxx.xxx dev wlp2s0
DEBUG:  ip route add to xxx.xxx.xxx.xxx/255.255.0.0 via xxx.xxx.xxx.xxx dev ppp0
INFO:   Tunnel is up and running.
DEBUG:  pppd ---> gateway (197 bytes)
.
.
.

INFO:   Setting ppp interface down.
INFO:   Restoring routes...
DEBUG:  ip route del to xxx.xxx.xxx.xxx/255.255.255.255 via 192.168.0.1 dev wlp2s0
DEBUG:  Waiting for pppd to exit...
DEBUG:  waitpid: pppd exit status code 16
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
DEBUG:  server_addr: xxx.xxx.xxx.xxx
DEBUG:  server_port: yyyy
DEBUG:  gateway_addr: xxx.xxx.xxx.xxx
DEBUG:  gateway_port: yyyy
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Logged out.
theinvisible commented 3 years ago

Thanks for your log, it seems like the text is send from your AD-Server so i cant trigger some action on static text. As far as i can see this input is handled by the OTP userinput method in openfortivpn. But i can also see that the keyword "Please" is already in the trigger list here so it should also show the "OTP" prompt dialog.

bcfreitas commented 2 years ago

Same problem here. I need to use openfortivpn command line to change password.