From: Kevin Cernekee Date: Sat, 2 Aug 2014 20:09:06 +0000 (-0700) Subject: main: Allow reading --token-secret from a file X-Git-Tag: v7.00~154 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=ec2eb275cb76d35ab7832cadc69612a04bc5a207;p=users%2Fdwmw2%2Fopenconnect.git main: Allow reading --token-secret from a file If the token string starts with '@' or '/', assume it refers to a filename. None of the current token backends would recognize a string starting with '@' or '/'. The main use cases are: - Keeping token secrets from showing up in "ps" output - Allowing the use of SecurID SDTID XML files without import/conversion This accepts "raw" HOTP/TOTP/SecurID tokens, not .stokenrc files. Therefore it cannot use stoken_import_rcfile(). Signed-off-by: Kevin Cernekee --- diff --git a/main.c b/main.c index 2908f9c1..06b4ef9c 100644 --- a/main.c +++ b/main.c @@ -1769,8 +1769,17 @@ static void init_token(struct openconnect_info *vpninfo, oc_token_mode_t token_mode, const char *token_str) { int ret; + char *file_token = NULL; - ret = openconnect_set_token_mode(vpninfo, token_mode, token_str); + if (token_str) { + if (token_str[0] == '@') + read_file_into_string(vpninfo, &token_str[1], &file_token); + else if (token_str[0] == '/') + read_file_into_string(vpninfo, token_str, &file_token); + } + + ret = openconnect_set_token_mode(vpninfo, token_mode, file_token ? : token_str); + free(file_token); switch (token_mode) { case OC_TOKEN_MODE_STOKEN: diff --git a/openconnect.8.in b/openconnect.8.in index 68dd2282..0f02b678 100644 --- a/openconnect.8.in +++ b/openconnect.8.in @@ -54,8 +54,8 @@ openconnect \- Connect to Cisco AnyConnect VPN .OP \-\-no\-xmlpost .OP \-\-non\-inter .OP \-\-passwd\-on\-stdin -.OP \-\-token-mode mode -.OP \-\-token-secret secret\fR[\fI,counter\fR] +.OP \-\-token\-mode mode +.OP \-\-token\-secret {secret\fR[\fI,counter\fR]|@\fIfile\fR} .OP \-\-reconnect\-timeout .OP \-\-servercert sha1 .OP \-\-useragent string @@ -394,12 +394,19 @@ will call liboath to generate an RFC 6238 time-based password, and .B \-\-token\-mode=hotp will call liboath to generate an RFC 4226 HMAC-based password. .TP -.B \-\-token\-secret=SECRET[,COUNTER] +.B \-\-token\-secret={ SECRET[,COUNTER] | @FILENAME } The secret to use when generating one-time passwords/verification codes. Base 32-encoded TOTP/HOTP secrets can be used by specifying "base32:" at the beginning of the secret, and for HOTP secrets the token counter can be specified following a comma. +RSA SecurID secrets can be specified as an Android/iPhone URI or a raw numeric +CTF string (with or without dashes). + +.IR FILENAME , +if specified, can contain any of the above strings. Or, it can contain a +SecurID XML (SDTID) seed. + If this option is omitted, and \-\-token\-mode is "rsa", libstoken will try to use the software token seed saved in .B ~/.stokenrc