This fixes the openconnect --token-mode in conjunction with ocserv's OATH and password file. Otherwise the openconnect client is not able to distinguish a normal password prompt from the OTP request. Signed-off-by: Andrew Karpow <andy at ndyk.de> --- src/auth/plain.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/auth/plain.c b/src/auth/plain.c index 55cd1a0..2c65d8a 100644 --- a/src/auth/plain.c +++ b/src/auth/plain.c @@ -367,7 +367,11 @@ static int plain_auth_msg(void *ctx, void *pool, passwd_msg_st *pst) if (pctx->pass_msg) pst->msg_str = talloc_strdup(pool, pctx->pass_msg); - pst->counter = 0; /* we support a single password */ + + if(pctx->cpass[0] == 0) + pst->counter = 1; /* request otp as password_secondary */ + else + pst->counter = 0; /* we support a single password */ /* use the default prompt */ return 0; -- 2.8.3
