Date: Sat, 29 Jul 2017 09:18:30 +0200 From: Matthias Apitz <guru@unixarea.de> To: freebsd-net@freebsd.org Subject: Fwd: Re: [vpnc-devel] I need to give the same secret from the RSA token 3 times to login Message-ID: <20170729071830.GA12731@c720-r314251>
next in thread | raw e-mail | index | archive | help
--FCuugMFkClbJLl1L
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I'm forwarding this to freebsd-net@ because it seems that the upstream
mailing list vpnc-devel@unix-ag.uni-kl.de is dead.
I have modified the vpnc.c source so it prints the RSA code entered by
the user; as it is a one time key, this is no security problem:
# /usr/ports/security/vpnc/work/vpnc-0.5.3/vpnc
Password for VPN xxxxxxx@193.31.xxx.196:
RSA token entered was [55526846]
Password for VPN xxxxxxx@193.31.xxx.196:
RSA token entered was [55526846]
Password for VPN xxxxxxx@193.31.xxx.196:
RSA token entered was [55526846]
Connect Banner:
| =3D=3D=3D=3D XXXXXXXX Germany VPN =3D=3D=3D=3D
|
| Use is restricted to XXXXXXXXXXXXXX authorized users.
| Usage and activity may be monitored or recorded and may be subject to aud=
iting.
| Unauthorized access is strictly prohibited!
add host 193.31.xxx.196: gateway 10.42.0.1
=2E..
i.e. after the 3rd same passcode it connects fine.
more details be low in the forwarded text.
Any ideas? Thanks
matthias
----- Forwarded message from Matthias Apitz <guru@unixarea.de> -----
Date: Fri, 28 Jul 2017 10:06:16 +0200
=46rom: Matthias Apitz <guru@unixarea.de>
To: vpnc-devel@unix-ag.uni-kl.de
Cc: ehaupt@FreeBSD.org
Subject: Re: [vpnc-devel] I need to give the same secret from the RSA token=
3 times to login
(I have copied the MAINTAINER in FreeBSD, I don't know if vpnc is still
maintained upstream)
Hello,
I have additional observations/remarks on this.
To generate the 8 digits secret, I'm using a RSA app on my iPhone.
I can reproduce the following from my home office and as well when connecte=
d over data
mobile using my smartphone as an Access Point:
1. I use the app to generate the 8 digits and wait until a fresh one shows =
up (to have 60 seconds
for the rest of the following procedure)
2. I start the vpn client and enter the 8 digits carefully
3. VPN asks me to re-enter a secret, I do so using the same 8 digits for a =
2nd time
4. VPN asks me to re-enter a secret, I do so and enter the same 8 digits fo=
r the 3rd time
5. VPN comes up fine after this
This is fully reproducible if someone needs more information.
I used the --debug 3 mode of vpnc and this shows an interesting dialog in t=
he tons of
debug lines:
=2E..
DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)Connect Banner:
| =3D=3D=3D=3D XXXXXXXXXXXX Germany VPN =3D=3D=3D=3D^M
| ^M
| Use is restricted to XXXXXXXXXXXX authorized users.^M
| Usage and activity may be monitored or recorded and may be subject to aud=
iting.^M
| Unauthorized access is strictly prohibited!
add host 193.31.11.196: gateway 10.42.0.1
delete net 10.49.94.0: gateway 10.49.94.100 fib 0: not in table
=2E..
S5.4 xauth type check
[2017-07-28 07:37:04]
^M
Enter your new PIN, containing 5 chars,^M
or^M
<Ctrl-D> to cancel the New PIN procedure: <********=
*****************************
S5.5 do xauth authentication
[2017-07-28 07:37:04]
size =3D 40, blksz =3D 8, padding =3D 0
sending: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D>
=2E..
S5.4 xauth type check
[2017-07-28 07:37:14]
^M
Please re-enter new PIN: <*=
***********************************
S5.5 do xauth authentication
[2017-07-28 07:37:14]
size =3D 40, blksz =3D 8, padding =3D 0
sending: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D>
=2E..
S5.4 xauth type check
[2017-07-28 07:37:25]
^M
^M
PIN rejected. Please try again.^M <*******=
*********************************
^M
Enter PASSCODE: =
<****************************************
S5.5 do xauth authentication
[2017-07-28 07:37:25]
size =3D 40, blksz =3D 8, padding =3D 0
sending: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D>
=2E..
Banner: =3D=3D=3D=3D XXXXXXXXXXXX Germany VPN =3D=3D=3D=3D^M
^M
Use is restricted to XXXXXXXXXXXX authorized users.^M
Usage and activity may be monitored or recorded and may be subject to audit=
ing.^M
Unauthorized access is strictly prohibited!
got save password setting: 0
got 42 acls for split include
acl 0: addr: 192.168.0.0/ 255.255.0.0 (16), protocol: 0, s=
port: 0, dport: 0
=2E..
=66rom here all is fine connected;
There seems to be some dialog in the authentication procedure which wants m=
e to change
the PIN, asking for a confirmation of the new PIN and is failing to accept =
this new PIN.
This would explain why I'm asked three times for some secret: two times for=
some PIN and
at the end for the 8 RSA digits.
Does this ring someones bell?
I tested the same with a Windows VPN client. This connects fine after
entering the 8 digits the first time.
matthias
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
----- End forwarded message -----
--=20
Matthias Apitz, =E2=9C=89 guru@unixarea.de, =E2=8C=82 http://www.unixarea.d=
e/ =E2=98=8E +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra.
May 8, 1945: Who does not celebrate lost the War.
--FCuugMFkClbJLl1L
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEXmn7rBYYViyzy/vBR8z35Hb+nREFAll8Nr8ACgkQR8z35Hb+
nRHTfw/+OSLlcLOQ62WhCeEhspmi/UdvdvcB63ELeZKlrIwbwRpCIlbzoRq/fPRF
h9VZKLipHNUVqR7CiNocc7NYmAUx9vCH1d3lXsSxJrmKNXnrsxjCfHM82Gxr6SGD
D2sEVjomx3Y9Ns9fV8azOwAe/gZ33qCmkYE6uxaL5D3nLLPexg1uqQx5VRte/NkI
XQ4JUftK1UIotfRgAACgpwHymnMc6eD2RxcxWCZaG006yZAVIJPPZkoocRAFT/lm
IOgwpbM4ScCsKHAeOqFCoNrLQtveo629BL0fLTbPU10XKNILf3lGPgLaWqLeCkm5
Uu+Kzd/0nSlM3vM5TMaE0Lr+U/KJ0LfzENqr/MIqyMZI+231ORDaPPmXZRTpRRtB
CEKUYIjv16I27tShwhHdcJwMPbKTOZ8AgvFeEh6wjaa2irqmAVqmEVvwG8lTwu2Y
PtwI/Bgz8h0o0cFVi/pCaAvE/BprwUBMC/IzZyyV7bX1VnUh+noFm3/zUK3wdL51
AZ939EfvTM9TFnlyjHSWUNGmvU/tSoQAW/dEaO1bovGvxq3nomUa0mH9dOFbTxo8
iDE/kuibi6Ip7rbOmwKgWNKO+/WMbk7pJtdA3ClD27nNaPz//3JoWQF+bjIxo3/9
K1kjucuOmJRtDtM+Q/Wg29oVzszOv7YShhi09AmJogZsfj0zr/k=
=JYqx
-----END PGP SIGNATURE-----
--FCuugMFkClbJLl1L--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20170729071830.GA12731>