On 29 January 2018 at 15:19, David Woodhouse <dwmw2 at infradead.org> wrote: > > > On Mon, 2018-01-29 at 15:07 +0000, Dave Walker wrote: >> >> The password and secondary_password are reversed. >> >> On this page it states the ordering: >> http://www.infradead.org/openconnect/token.html >> >> "SecurID token codes will automatically fill in the primary password >> field in the authentication form presented by the server" .. "This >> behaviour is empirically determined by the requirements of the servers >> that we have tested with; if you find a configuration in which it is >> not appropriate, please let us know." >> >> This mail is letting you know... is there a workaround? > > I think we should patch the code to use a 'secondary_password' field > *if* it exists, and 'password' otherwise. That will require a slightly > non-trivial modification to the cstp_can_gen_tokencode() function in > auth.c, because now it's no longer *purely* a function of the one > option it's being asked to consider. But not *so* hard... patches > welcome :) Hi David, Thanks for your feedback. I've not had the time to do a proper fix, but I can confirm that locally running this patch makes it work in /my/ environment. I hope to get a supportable patch together that I can submit, but I am not confident I can do so in the near term. --- a/auth.c +++ b/auth.c @@ -886,7 +886,7 @@ static int cstp_can_gen_tokencode(struct openconnect_info *vpninfo, #ifdef HAVE_LIBSTOKEN if (vpninfo->token_mode == OC_TOKEN_MODE_STOKEN) { - if (strcmp(opt->name, "password") && + if (strcmp(opt->name, "secondary_password") && strcmp(opt->name, "answer")) return -EINVAL; return can_gen_stoken_code(vpninfo, form, opt); -- Kind Regards, Dave Walker