GlobalProtect prompts for auth cookie twice
First of all, thanks for this open-source VPN client which has worked great and without issue until now.
I use OpenConnect in conjunction with https://github.com/arthepsy/pan-globalprotect-okta which performs the authentication dance with Okta before running OpenConnect. It works by piping the auth cookie and gateway name into OpenConnect. Since upgrading from v8.05 to v8.10, however, OpenConnect is prompting for the auth cookie again after the gateway, which it never used to do. As a result, I get the error fgets (stdin): Inappropriate ioctl for device
because there is no more input to pipe in at that point. I am running on Arch Linux and use the openconnect
package from the extra
repository.
This behavior happens whether or not --passwd-on-stdin
is specified.
I can work around this by re-entering the same auth cookie again. I already scripted this. However, I'm not sure if this is the intended behavior. If so, then I guess the aforementioned Okta script would have to be updated accordingly. But if not, then it's a bug in OpenConnect.
I'm not sure how much detail my organization would want revealed publicly, so I redacted some details from the logs, but here they are.
Example command: sudo openconnect --protocol=gp -u '[REDACTED]' --usergroup portal:portal-userauthcookie --os win --csd-wrapper=hipreport.sh 'https://[REDACTED]'
Output:
POST https://[REDACTED]/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to [REDACTED]:443
SSL negotiation with [REDACTED]
Connected to HTTPS on [REDACTED] with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Enter login credentials
portal-userauthcookie:
POST https://[REDACTED]/global-protect/getconfig.esp
Portal set HIP report interval to 60 minutes).
[REDACTED] gateway servers available:
[REDACTED] ([REDACTED])
[REDACTED] ([REDACTED])
...
Please select GlobalProtect gateway.
GATEWAY: [[REDACTED]]:[REDACTED]
POST https://[REDACTED]/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Windows
Connected to [REDACTED]:443
SSL negotiation with [REDACTED]
Connected to HTTPS on [REDACTED] with ciphersuite (TLS1.2)-(RSA)-(AES-256-GCM)
Enter login credentials
portal-userauthcookie:
I cut the output at the point where it prompts for the cookie a second time.