From owner-freebsd-net@freebsd.org Sat Jul 29 07:18:35 2017 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4801EDBC7C3 for ; Sat, 29 Jul 2017 07:18:35 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 013322BC1 for ; Sat, 29 Jul 2017 07:18:34 +0000 (UTC) (envelope-from guru@unixarea.de) Received: from [88.217.98.32] (helo=localhost.unixarea.de) by ms-10.1blu.de with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.86_2) (envelope-from ) id 1dbM19-0007co-6P for freebsd-net@freebsd.org; Sat, 29 Jul 2017 09:18:31 +0200 Received: from localhost.my.domain (localhost [127.0.0.1]) by localhost.unixarea.de (8.15.2/8.14.9) with ESMTPS id v6T7IUBv012913 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 29 Jul 2017 09:18:30 +0200 (CEST) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by localhost.my.domain (8.15.2/8.14.9/Submit) id v6T7IUHj012912 for freebsd-net@freebsd.org; Sat, 29 Jul 2017 09:18:30 +0200 (CEST) (envelope-from guru@unixarea.de) X-Authentication-Warning: localhost.my.domain: guru set sender to guru@unixarea.de using -f Date: Sat, 29 Jul 2017 09:18:30 +0200 From: Matthias Apitz To: freebsd-net@freebsd.org Subject: Fwd: Re: [vpnc-devel] I need to give the same secret from the RSA token 3 times to login Message-ID: <20170729071830.GA12731@c720-r314251> Reply-To: Matthias Apitz Mail-Followup-To: Matthias Apitz , freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="FCuugMFkClbJLl1L" Content-Disposition: inline X-Operating-System: FreeBSD 12.0-CURRENT r314251 (amd64) X-message-flag: Mails containing HTML will not be read! Please send only plain text. User-Agent: Mutt/1.8.0 (2017-02-23) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 88.217.98.32 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2017 07:18:35 -0000 --FCuugMFkClbJLl1L Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I'm forwarding this to freebsd-net@ because it seems that the upstream mailing list vpnc-devel@unix-ag.uni-kl.de is dead. I have modified the vpnc.c source so it prints the RSA code entered by the user; as it is a one time key, this is no security problem: # /usr/ports/security/vpnc/work/vpnc-0.5.3/vpnc Password for VPN xxxxxxx@193.31.xxx.196: RSA token entered was [55526846] Password for VPN xxxxxxx@193.31.xxx.196: RSA token entered was [55526846] Password for VPN xxxxxxx@193.31.xxx.196: RSA token entered was [55526846] Connect Banner: | =3D=3D=3D=3D XXXXXXXX Germany VPN =3D=3D=3D=3D | | Use is restricted to XXXXXXXXXXXXXX authorized users. | Usage and activity may be monitored or recorded and may be subject to aud= iting. | Unauthorized access is strictly prohibited! add host 193.31.xxx.196: gateway 10.42.0.1 =2E.. i.e. after the 3rd same passcode it connects fine. more details be low in the forwarded text. Any ideas? Thanks matthias ----- Forwarded message from Matthias Apitz ----- Date: Fri, 28 Jul 2017 10:06:16 +0200 =46rom: Matthias Apitz To: vpnc-devel@unix-ag.uni-kl.de Cc: ehaupt@FreeBSD.org Subject: Re: [vpnc-devel] I need to give the same secret from the RSA token= 3 times to login (I have copied the MAINTAINER in FreeBSD, I don't know if vpnc is still maintained upstream) Hello, I have additional observations/remarks on this. To generate the 8 digits secret, I'm using a RSA app on my iPhone. I can reproduce the following from my home office and as well when connecte= d over data mobile using my smartphone as an Access Point: 1. I use the app to generate the 8 digits and wait until a fresh one shows = up (to have 60 seconds for the rest of the following procedure) 2. I start the vpn client and enter the 8 digits carefully 3. VPN asks me to re-enter a secret, I do so using the same 8 digits for a = 2nd time 4. VPN asks me to re-enter a secret, I do so and enter the same 8 digits fo= r the 3rd time 5. VPN comes up fine after this This is fully reproducible if someone needs more information. I used the --debug 3 mode of vpnc and this shows an interesting dialog in t= he tons of debug lines: =2E.. DONE PARSING PAYLOAD type: 08 (ISAKMP_PAYLOAD_HASH)Connect Banner: | =3D=3D=3D=3D XXXXXXXXXXXX Germany VPN =3D=3D=3D=3D^M | ^M | Use is restricted to XXXXXXXXXXXX authorized users.^M | Usage and activity may be monitored or recorded and may be subject to aud= iting.^M | Unauthorized access is strictly prohibited! add host 193.31.11.196: gateway 10.42.0.1 delete net 10.49.94.0: gateway 10.49.94.100 fib 0: not in table =2E.. S5.4 xauth type check [2017-07-28 07:37:04] ^M Enter your new PIN, containing 5 chars,^M or^M to cancel the New PIN procedure: <********= ***************************** S5.5 do xauth authentication [2017-07-28 07:37:04] size =3D 40, blksz =3D 8, padding =3D 0 sending: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D> =2E.. S5.4 xauth type check [2017-07-28 07:37:14] ^M Please re-enter new PIN: <*= *********************************** S5.5 do xauth authentication [2017-07-28 07:37:14] size =3D 40, blksz =3D 8, padding =3D 0 sending: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D> =2E.. S5.4 xauth type check [2017-07-28 07:37:25] ^M ^M PIN rejected. Please try again.^M <*******= ********************************* ^M Enter PASSCODE: = <**************************************** S5.5 do xauth authentication [2017-07-28 07:37:25] size =3D 40, blksz =3D 8, padding =3D 0 sending: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D> =2E.. Banner: =3D=3D=3D=3D XXXXXXXXXXXX Germany VPN =3D=3D=3D=3D^M ^M Use is restricted to XXXXXXXXXXXX authorized users.^M Usage and activity may be monitored or recorded and may be subject to audit= ing.^M Unauthorized access is strictly prohibited! got save password setting: 0 got 42 acls for split include acl 0: addr: 192.168.0.0/ 255.255.0.0 (16), protocol: 0, s= port: 0, dport: 0 =2E.. =66rom here all is fine connected; There seems to be some dialog in the authentication procedure which wants m= e to change the PIN, asking for a confirmation of the new PIN and is failing to accept = this new PIN. This would explain why I'm asked three times for some secret: two times for= some PIN and at the end for the 8 RSA digits. Does this ring someones bell? I tested the same with a Windows VPN client. This connects fine after entering the 8 digits the first time. matthias _______________________________________________ vpnc-devel mailing list vpnc-devel@unix-ag.uni-kl.de https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel http://www.unix-ag.uni-kl.de/~massar/vpnc/ ----- End forwarded message ----- --=20 Matthias Apitz, =E2=9C=89 guru@unixarea.de, =E2=8C=82 http://www.unixarea.d= e/ =E2=98=8E +49-176-38902045 Public GnuPG key: http://www.unixarea.de/key.pub 8. Mai 1945: Wer nicht feiert hat den Krieg verloren. 8 de mayo de 1945: Quien no festeja perdi=C3=B3 la Guerra. May 8, 1945: Who does not celebrate lost the War. --FCuugMFkClbJLl1L Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEXmn7rBYYViyzy/vBR8z35Hb+nREFAll8Nr8ACgkQR8z35Hb+ nRHTfw/+OSLlcLOQ62WhCeEhspmi/UdvdvcB63ELeZKlrIwbwRpCIlbzoRq/fPRF h9VZKLipHNUVqR7CiNocc7NYmAUx9vCH1d3lXsSxJrmKNXnrsxjCfHM82Gxr6SGD D2sEVjomx3Y9Ns9fV8azOwAe/gZ33qCmkYE6uxaL5D3nLLPexg1uqQx5VRte/NkI XQ4JUftK1UIotfRgAACgpwHymnMc6eD2RxcxWCZaG006yZAVIJPPZkoocRAFT/lm IOgwpbM4ScCsKHAeOqFCoNrLQtveo629BL0fLTbPU10XKNILf3lGPgLaWqLeCkm5 Uu+Kzd/0nSlM3vM5TMaE0Lr+U/KJ0LfzENqr/MIqyMZI+231ORDaPPmXZRTpRRtB CEKUYIjv16I27tShwhHdcJwMPbKTOZ8AgvFeEh6wjaa2irqmAVqmEVvwG8lTwu2Y PtwI/Bgz8h0o0cFVi/pCaAvE/BprwUBMC/IzZyyV7bX1VnUh+noFm3/zUK3wdL51 AZ939EfvTM9TFnlyjHSWUNGmvU/tSoQAW/dEaO1bovGvxq3nomUa0mH9dOFbTxo8 iDE/kuibi6Ip7rbOmwKgWNKO+/WMbk7pJtdA3ClD27nNaPz//3JoWQF+bjIxo3/9 K1kjucuOmJRtDtM+Q/Wg29oVzszOv7YShhi09AmJogZsfj0zr/k= =JYqx -----END PGP SIGNATURE----- --FCuugMFkClbJLl1L--