3

Currently I am using the following command for executing authentication request to obtain the server certificate (FINGERPRINT) and OpenConnect-Cookie:

openconnect --authenticate --user=<username> "VPN host"

Hereby I always have to enter my password in a later appearing user prompt.

Is there an option available to pass-over the password to OpenConnect already in the upper command?

For example, by extending the command like...

openconnect --authenticate --user=<username> password=<password> "VPN host"

... ?

The challenge is:

The user RuiFRibeiro had the idea just to echo the password within the command. Unfortunately this does not work in our case, because the server provides one more user prompt before reaching the second prompt (= password prompt).

It will happen like that:

  1. First user prompt: Server saying

    • "Please choose if you want to tunnel all traffic or only specific one.
    • "Type in Tunnel all or Tunnel company".

  2. Second user prompt: Server is saying

    • "Please enter your password."

As you can see, a simple echo would give the wrong answer to the wrong question. :-)

For a possible expect-script the real (exact) server request before inserting text is like followed:

  1. First prompt: GROUP: [tunnel MyCompany|tunnel all]:, answer-insertion should be tunnel MyCompany

  2. Second prompt: Password:, answer-insertion should be 123456789

Jeff Schaller
  • 66,199
  • 35
  • 114
  • 250
Dave
  • 996
  • 4
  • 17
  • 36
  • @RuiFRibeiro: You mean executing the request with this command: `echo password | openconnect --authenticate --user= "VPN host"`? Should I type in my real password or leave it as "password"? – Dave Aug 26 '18 at 13:23
  • added to the answer. – Rui F Ribeiro Aug 26 '18 at 13:25

2 Answers2

4

Usually, VPN software does not allow as input the password for a user, because it is considered a security risk.

A possible solution is feeding the password via a pipe as in:

echo -e "Tunnel all\nYourPassword" | openconnect --authenticate --user=<username> "VPN host"

If we are talking about you being interested in this method to write a script:

  • be sure to understand the security implications of having your password in a file, and restrict the read rights of that file only to the user running the openconnect command.

PS Replace YourPassword with your real password

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
  • Thanks for your idea! Unfortunately there is one more user prompt before the mentioned prompt (the one where I have to insert the password). Because of this your command does not fit into this first user prompt, because during the first one the server only wants to know if I want to tunnel everything or just specific traffic. Unfortunately only in the next (= second) prompt the server will ask for the password. – Dave Aug 26 '18 at 13:28
  • If you are placing the user in the command line, what is the nature of the other prompt? double factor auth? – Rui F Ribeiro Aug 26 '18 at 13:29
  • In the first prompt the server is asking if I want to tunnel all traffic over the VPN or just specific one. The user prompt where I have to insert my password is the second prompt... – Dave Aug 26 '18 at 13:32
  • I would that output/text/interaction to the question in the first place. – Rui F Ribeiro Aug 26 '18 at 13:32
  • @Dave Try this. If it does not work, you need something more complicated. – Rui F Ribeiro Aug 26 '18 at 13:48
  • The idea is great, but unfortunately this does not work... :-( – Dave Aug 26 '18 at 14:05
  • Thanks for that hint! I posted the real server output into my question. – Dave Aug 26 '18 at 14:29
  • 1
    It is working now! I had to write the password with `'password'` instead of `"password"`... – Dave Aug 27 '18 at 10:01
  • Good news then. Congrats and thanks for the points. – Rui F Ribeiro Aug 27 '18 at 10:18
  • Thanks! :-) By the way, you can update your answer: With `OpenConnect` it is possible to specify the desired user group directly in the command with `authgroup="GROUPNAME"`, so there is no need to create a multiline echo output. Therefore the echo is only required for the password while calling the password in the command with `passwd-on-stdin`. – Dave Aug 27 '18 at 10:27
  • @Dave I am not entirely following you, feel free to edit it yourself and correct it. – Rui F Ribeiro Aug 27 '18 at 10:38
1

This works for me:

echo 'your password' > passwd.auth
sudo openconnect <SERVER IP> --user=USERNAME --servercert sha256:<SHA256> --passwd-on-stdin < passwd.auth
Glorfindel
  • 805
  • 2
  • 10
  • 19
Khalegh Salehi
  • 11
  • 1