SmartCard + username and password

[simowdas]

Version: 1.12.0
When using username,password and user-cert from smartcard the username and pass are not send to server.

/remote/login is send only cert=&nup=1

[DimitriPapadopoulos]

Isn't this a duplicate of #507?

[DimitriPapadopoulos]

Or perhaps not because #507 is supposed to have been fixed in 1.12.0.

[DimitriPapadopoulos]

It would help if you could show the (sanitized) output of openfortivpn -v -v and the (sanitized) contents of /etc/openfortivpn/config.

[simowdas]

DEBUG: openfortivpn 1.12.0
DEBUG: Loaded config file "/etc/openfortivpn/config".
DEBUG: Loaded password from config file "/etc/openfortivpn/config"
DEBUG: Config host = "*******"
DEBUG: Config realm = "someone"
DEBUG: Config port = "443"
DEBUG: Config username = "someone"
DEBUG: Resolving gateway host ip
DEBUG: Establishing ssl connection
DEBUG: server_addr:*****
DEBUG: server_port: 443
DEBUG: gateway_addr: ******
DEBUG: gateway_port: 443
DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
DEBUG: http_send: GET /remote/login HTTP/1.1 Host: ***********:443 User-Agent: Mozilla/5.0 SV1
Accept: text/plain
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
Cookie:
Content-Length: 11

cert=&nup=1
DEBUG: http_receive:
HTTP/1.1 200 OK
Date: Tue, 07 Apr 2020 10:24:56 GMT
Server: xxxxxxxx-xxxxx
Set-Cookie: SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly
X-UA-Compatible: requiresActiveX=true
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https (null) 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000

ec0

!!!!some HTML here!!!!!!

E5 18 C3 5F AC F6 8A 88 28 46 7E 1B 15 4E 4F 66 ..._....(F~..NOf
EB AB F3 33 00 11 C6 61 51 ...3...aQ

ERROR: Could not authenticate to gateway. Please check the password, client certificate, etc.
DEBUG: No cookie given -7
INFO: Closed connection to gateway.

Config:
host = vpn.server.pl
port = 443
user-cert = pkcs11:

username = someone
password = somepass
realm = someone
trusted-cert = 9gad786876dagu0f15934d965023574db9ea157cdd05

[DimitriPapadopoulos]

The config file looks OK.

[mrbaseman]

we currently support

• smart card or user certificate without username&password
• user certificate and username&password
• username&password
  optionally one time password in addition to the above combinations.

We could try to handle your case differently. The problem is that without smartcard username and password are sent via http post, but with smartcard a GET is used and I don't know if we just can pass the posted parameters together with this get-request or if we should switch to post in that case.
Do you have the chance to watch what Forticlient does in this scenario? Maybe the !!!!some HTML here!!!!!! section is interesting. Just make sure to anonymize sensitive data therein.

[mrbaseman]

Actually, the case "user certificate and username&password" is very close to yours, except that the certificate is stored on the smart card. Historically, the case to log in without username&password came into the source together with the pull request for smart card support in #464.
But maybe the distinction if username and password are empty (which came later in the code) is good enough there.
@simowdas can you try if my smartcard branch works for you?

[mrbaseman]

I have created pull request #631 but I would like to have verified that it solves your problem and verified that it does not severely break a working feature for others

[simowdas]

I have created pull request #631 but I would like to have verified that it solves your problem and verified that it does not severely break a working feature for others

I've checked You fix and it's working. Thx

[ghost]

Hello,

I'm trying to use use this specific mode for 2 months (Client Cert hosted on Yubikey + User + Password) but I was unable to achieve it. I tried, with or without dummy entries.

If I provide a file instead of pkcs11, It works.

So, in my mind, it's not solved.

host = myhost.domain
port = 443
username = adminNico
trusted-cert = 9f40b40xxxxxxxxxxxxxxxxxxxx7608d40c
user-cert = pkcs11:serial=xxxxxxxxxxxx;id=%01

sudo openfortivpn -v -v -v -v --no-dns --no-routes
DEBUG: ATTENTION: the output contains sensitive information such as the THE CLEAR TEXT PASSWORD.
DEBUG: openfortivpn 1.12.0
DEBUG: Loaded config file "/etc/openfortivpn/config".
DEBUG: Disabled password due to empty entry in config file "/etc/openfortivpn/config"
DEBUG: Config host = "myhost.domain"
DEBUG: Config realm = ""
DEBUG: Config port = "443"
DEBUG: Config username = "adminNico"
DEBUG: Config password = ""
DEBUG: Resolving gateway host ip
DEBUG: Establishing ssl connection
DEBUG: server_addr: x.x.x.x
DEBUG: server_port: 443
DEBUG: gateway_addr: x.x.x.x
DEBUG: gateway_port: 443
Enter PKCS#11 token PIN for adminNico :
DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG: Gateway certificate validation succeeded.
INFO: Connected to gateway.
DEBUG: http_send:
GET /remote/login HTTP/1.1
Host: myhost.domain:443
User-Agent: Mozilla/5.0 SV1
Accept: text/plain
Accept-Encoding: identity
Content-Type: application/x-www-form-urlencoded
Cookie:
Content-Length: 11

cert=&nup=1
DEBUG: http_receive:
HTTP/1.1 200 OK
**** SOME HTML ****
ERROR: Could not authenticate to gateway. Please check the password, client certificate, etc.
DEBUG: No cookie given -7
INFO: Closed connection to gateway.