Sanitized output: $ stoken show Enter password to decrypt token: Serial number : 000123456789 Encrypted w/password : yes Encrypted w/devid : no Expiration date : 2099/99/01 Key length : 128 Tokencode digits : 6 PIN mode : 0 Seconds per tokencode : 60 App-derived : no Feature bit 4 : no Time-derived : yes Feature bit 6 : no The Windows RSA app generates a 6-digit code. It doesn't ask for the PIN or a password to protect the token once imported. What the VPN admins call the PIN is used as a prefix to the 6-digit code to form the first password. It's not clear to me that this so called PIN has exactly the same purpose as what stoken or openconnect call a PIN. It sounds like openconnect will try to use the code generated by stoken, whereas in this case it is necessary to use PIN + tokencode as you say. It would also be helpful to be able to supply the first password on the command line with any string for testing, or try to script it like "$PIN$(stoken)". I can try to remove the openconnect and network-manager-openconnect packages, make clean, build openconnect 6.00, make install, build network manager, make install, something like that. If the terminal output has the details you asked about, I will check. Not that often recently, but I have some experience with porting Unix packages in C. I would be able to build changes into my local copy for testing, and possibly some light coding. --Mark On 7/17/2014 6:43 PM, Kevin Cernekee wrote: > On Thu, Jul 17, 2014 at 4:26 PM, Mark Kolmar <mark at burningrome.com> wrote: >> The way the authentication works in AnyConnect is that I am prompted for a >> username and two passwords. The first password consists of a PIN (let's say >> 9999) plus a 6-digit token generated by stoken or RSA SecureID software on >> Windows. Let's say 123456. So the first password is like 9999123456. The 2nd >> password I think is just the Active Directory / LDAP password for the >> username. I used the token generated from stoken to connect successfully >> using AnyConnect in Windows. But I am not sure how to use these two >> passwords in OpenConnect, or whether this scenario is supported. > > When you run "stoken show", what PIN mode does it report? > > If you import your token seed into a mobile phone or the Windows RSA > app, does it prompt you for a PIN or does it immediately produce a > 6-digit code upon launch? > > I suspect that we may need to extend the stoken API to tell > openconnect that it needs to concatenate PIN + tokencode = passcode. > This is a common way of using hard tokens, but many soft tokens are > set up to generate an 8-digit tokencode that already incorporates the > PIN. > >> I gave up on NetworkManager-OpenConnect 0.9.10 because the GUI under Network Connections -> VPN was unavailable. > > Hmm, that's not so good either. When you linked nm-openconnect > 0.9.10, was the latest libopenconnect.so.3 from the 6.00 release > already installed on your system? Or is there a possibility that it > got built against the old libopenconnect.so.2? >
