2FA Prompt "Password1:" - it should display additional information if available
Server and client software versions
- Server: ocserv v0.12.2, libpam-duo v.1.9.21-1.1
- Client: Windows 10, OpenConnect-GUI v 1.5.3
Description of the issue
I've configured a OpenConnect server with PAM and Duo 2FA (via PAM) that displays a message about what to enter next (a passcode, or a number to send push or SMS notification). Using OpenConnect GUI 1.5.3 the secondary password prompt is just "password1:", without any descriptive message; the only way to know what code to enter to receive a push notification is by looking at the log panel (or remembering it).
I've copied (and sanitized) a snippet of the log, just to help explain the situation:
2020-12-16 10:05:03 | ed8 | SSL negotiation with myendpoint.domain
2020-12-16 10:05:03 | ed8 | Connected to HTTPS on myendpoint.domain
2020-12-16 10:05:04 | ed8 | Got HTTP response: HTTP/1.1 200 OK
2020-12-16 10:05:04 | ed8 | Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure
2020-12-16 10:05:04 | ed8 | Content-Type: text/xml
2020-12-16 10:05:04 | ed8 | Content-Length: 306
2020-12-16 10:05:04 | ed8 | X-Transcend-Version: 1
2020-12-16 10:05:04 | ed8 | HTTP body length: (306)
2020-12-16 10:05:04 | ed8 | XML POST enabled
2020-12-16 10:05:04 | ed8 | Please enter your username.
2020-12-16 10:05:04 | ed8 | Text form: username
2020-12-16 10:05:04 | ed8 | POST https://myendpoint.domain/auth
2020-12-16 10:05:04 | ed8 | Got HTTP response: HTTP/1.1 200 OK
2020-12-16 10:05:04 | ed8 | Set-Cookie: webvpncontext=U--SNIP--=; Max-Age=300; Secure
2020-12-16 10:05:04 | ed8 | Content-Type: text/xml
2020-12-16 10:05:04 | ed8 | Content-Length: 310
2020-12-16 10:05:04 | ed8 | X-Transcend-Version: 1
2020-12-16 10:05:04 | ed8 | HTTP body length: (310)
2020-12-16 10:05:04 | ed8 | Please enter your password.
2020-12-16 10:05:04 | ed8 | Password form: password
2020-12-16 10:05:04 | ed8 | POST https://myendpoint.domain/auth
2020-12-16 10:05:04 | ed8 | Got HTTP response: HTTP/1.1 200 OK
2020-12-16 10:05:04 | ed8 | Set-Cookie: webvpncontext=U--SNIP--=; Max-Age=300; Secure
2020-12-16 10:05:04 | ed8 | Content-Type: text/xml
2020-12-16 10:05:04 | ed8 | Content-Length: 550
2020-12-16 10:05:04 | ed8 | X-Transcend-Version: 1
2020-12-16 10:05:04 | ed8 | HTTP body length: (550)
2020-12-16 10:05:04 | ed8 | Duo two-factor login for myusername
Enter a passcode or select one of the following options:
1. Duo Push to +XX XXX XXX 0000
2. Duo Push to CellPhone1
3. Duo Push to CellPhone2
4. SMS passcodes to +XX XXX XXX 0000
Passcode or option (1-4):
2020-12-16 10:05:04 | ed8 | Password form: secondary_password
2020-12-16 10:05:09 | ed8 | POST https://myendpoint.domain/auth
2020-12-16 10:05:21 | ed8 | Got HTTP response: HTTP/1.1 200 OK
2020-12-16 10:05:21 | ed8 | Connection: Keep-Alive
2020-12-16 10:05:21 | ed8 | Content-Type: text/xml
2020-12-16 10:05:21 | ed8 | Content-Length: 189
2020-12-16 10:05:21 | ed8 | X-Transcend-Version: 1Expected behavior
In this case it would be nice if the secondary_password window could be rendered like:
Duo two-factor login for myusername
Enter a passcode or select one of the following options:
1. Duo Push to +XX XXX XXX 0000
2. Duo Push to CellPhone1
3. Duo Push to CellPhone2
4. SMS passcodes to +XX XXX XXX 0000
Passcode or option (1-4):
password1: [ ]Is it possible to capture this message sent by the server and show it as a caption inside the password window?
Edited by Mattia C.