Hi all, I frequently connect to a VPN that uses TOTP-based 2FA. The TOTP code *must* be entered by appending it to the user-entered password. >From the command line I can jury-rig a way to do this: # (echo -n MYPASSWORD; oathtool --totp TOTP_SECRET) | openconnect -u USERNAME vpn-gateway.client.com --passwd-on-stdin Per the cstp_can_gen_tokencode() function (http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/auth.c#l87 3), OpenConnect generates OATH TOTP/HOTP codes *only* in response to a form field named secondary_password, and generates SecurID codes *only* in response to a form field named "password" or "answer". I think it'd be useful to offer an option to customize the form field that receives OATH or SecurID code, perhaps including the option to append the token to another field. I'm imagining something like this, where --token-field=+password means: append the token to the "password" field. # openconnect -u USERNAME vpn-gateway.client.com --token-mode=totp --token- secret=TOTP_SECRET \ --token-field=+password If this would be a desirable feature, I'll take a crack at writing a patch for it. Thanks, Dan Lenski
