OpenConnect: Passing-over user password when executing authentication request?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
2
down vote

favorite












Currently I am using the following command for executing authentication request to obtain the server certificate (FINGERPRINT) and OpenConnect-Cookie:



openconnect --authenticate --user=<username> "VPN host"


Hereby I always have to enter my password in a later appearing user prompt.



Is there an option available to pass-over the password to OpenConnect already in the upper command?



For example, by extending the command like...



openconnect --authenticate --user=<username> password=<password> "VPN host"


... ?



The challenge is:



The user RuiFRibeiro had the idea just to echo the password within the command. Unfortunately this does not work in our case, because the server provides one more user prompt before reaching the second prompt (= password prompt).



It will happen like that:




  1. First user prompt: Server saying



    • "Please choose if you want to tunnel all traffic or only specific one.

    • "Type in Tunnel all or Tunnel company".



  2. Second user prompt: Server is saying



    • "Please enter your password."


As you can see, a simple echo would give the wrong answer to the wrong question. :-)



For a possible expect-script the real (exact) server request before inserting text is like followed:



  1. First prompt: GROUP: [tunnel MyCompany|tunnel all]:, answer-insertion should be tunnel MyCompany


  2. Second prompt: Password:, answer-insertion should be 123456789






networking configuration command vpn openconnect







share|improve this question























  • @RuiFRibeiro: You mean executing the request with this command: echo password | openconnect --authenticate --user=<username> "VPN host"? Should I type in my real password or leave it as "password"?
    – Dave
    Aug 26 at 13:23










  • added to the answer.
    – Rui F Ribeiro
    Aug 26 at 13:25















up vote
2
down vote

favorite












Currently I am using the following command for executing authentication request to obtain the server certificate (FINGERPRINT) and OpenConnect-Cookie:



openconnect --authenticate --user=<username> "VPN host"


Hereby I always have to enter my password in a later appearing user prompt.



Is there an option available to pass-over the password to OpenConnect already in the upper command?



For example, by extending the command like...



openconnect --authenticate --user=<username> password=<password> "VPN host"


... ?



The challenge is:



The user RuiFRibeiro had the idea just to echo the password within the command. Unfortunately this does not work in our case, because the server provides one more user prompt before reaching the second prompt (= password prompt).



It will happen like that:




  1. First user prompt: Server saying



    • "Please choose if you want to tunnel all traffic or only specific one.

    • "Type in Tunnel all or Tunnel company".



  2. Second user prompt: Server is saying



    • "Please enter your password."


As you can see, a simple echo would give the wrong answer to the wrong question. :-)



For a possible expect-script the real (exact) server request before inserting text is like followed:



  1. First prompt: GROUP: [tunnel MyCompany|tunnel all]:, answer-insertion should be tunnel MyCompany


  2. Second prompt: Password:, answer-insertion should be 123456789






networking configuration command vpn openconnect







share|improve this question























  • @RuiFRibeiro: You mean executing the request with this command: echo password | openconnect --authenticate --user=<username> "VPN host"? Should I type in my real password or leave it as "password"?
    – Dave
    Aug 26 at 13:23










  • added to the answer.
    – Rui F Ribeiro
    Aug 26 at 13:25













up vote
2
down vote

favorite









up vote
2
down vote

favorite











Currently I am using the following command for executing authentication request to obtain the server certificate (FINGERPRINT) and OpenConnect-Cookie:



openconnect --authenticate --user=<username> "VPN host"


Hereby I always have to enter my password in a later appearing user prompt.



Is there an option available to pass-over the password to OpenConnect already in the upper command?



For example, by extending the command like...



openconnect --authenticate --user=<username> password=<password> "VPN host"


... ?



The challenge is:



The user RuiFRibeiro had the idea just to echo the password within the command. Unfortunately this does not work in our case, because the server provides one more user prompt before reaching the second prompt (= password prompt).



It will happen like that:




  1. First user prompt: Server saying



    • "Please choose if you want to tunnel all traffic or only specific one.

    • "Type in Tunnel all or Tunnel company".



  2. Second user prompt: Server is saying



    • "Please enter your password."


As you can see, a simple echo would give the wrong answer to the wrong question. :-)



For a possible expect-script the real (exact) server request before inserting text is like followed:



  1. First prompt: GROUP: [tunnel MyCompany|tunnel all]:, answer-insertion should be tunnel MyCompany


  2. Second prompt: Password:, answer-insertion should be 123456789






networking configuration command vpn openconnect







share|improve this question















Currently I am using the following command for executing authentication request to obtain the server certificate (FINGERPRINT) and OpenConnect-Cookie:



openconnect --authenticate --user=<username> "VPN host"


Hereby I always have to enter my password in a later appearing user prompt.



Is there an option available to pass-over the password to OpenConnect already in the upper command?



For example, by extending the command like...



openconnect --authenticate --user=<username> password=<password> "VPN host"


... ?



The challenge is:



The user RuiFRibeiro had the idea just to echo the password within the command. Unfortunately this does not work in our case, because the server provides one more user prompt before reaching the second prompt (= password prompt).



It will happen like that:




  1. First user prompt: Server saying



    • "Please choose if you want to tunnel all traffic or only specific one.

    • "Type in Tunnel all or Tunnel company".



  2. Second user prompt: Server is saying



    • "Please enter your password."


As you can see, a simple echo would give the wrong answer to the wrong question. :-)



For a possible expect-script the real (exact) server request before inserting text is like followed:



  1. First prompt: GROUP: [tunnel MyCompany|tunnel all]:, answer-insertion should be tunnel MyCompany


  2. Second prompt: Password:, answer-insertion should be 123456789






networking configuration command vpn openconnect




networking configuration command vpn openconnect






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 3 at 16:28









Jeff Schaller

32.7k849110




32.7k849110










asked Aug 26 at 13:14









Dave

319213




319213











  • @RuiFRibeiro: You mean executing the request with this command: echo password | openconnect --authenticate --user=<username> "VPN host"? Should I type in my real password or leave it as "password"?
    – Dave
    Aug 26 at 13:23










  • added to the answer.
    – Rui F Ribeiro
    Aug 26 at 13:25

















  • @RuiFRibeiro: You mean executing the request with this command: echo password | openconnect --authenticate --user=<username> "VPN host"? Should I type in my real password or leave it as "password"?
    – Dave
    Aug 26 at 13:23










  • added to the answer.
    – Rui F Ribeiro
    Aug 26 at 13:25
















@RuiFRibeiro: You mean executing the request with this command: echo password | openconnect --authenticate --user=<username> "VPN host"? Should I type in my real password or leave it as "password"?
– Dave
Aug 26 at 13:23




@RuiFRibeiro: You mean executing the request with this command: echo password | openconnect --authenticate --user=<username> "VPN host"? Should I type in my real password or leave it as "password"?
– Dave
Aug 26 at 13:23












added to the answer.
– Rui F Ribeiro
Aug 26 at 13:25





added to the answer.
– Rui F Ribeiro
Aug 26 at 13:25











1 Answer
1






active

oldest

votes

















up vote
2
down vote



accepted










Usually, VPN software does not allow as input the password for a user, because it is considered a security risk.



A possible solution is feeding the password via a pipe as in:



echo -e "Tunnel allnYourPassword" | openconnect --authenticate --user=<username> "VPN host"


If we are talking about you being interested in this method to write a script:



  • be sure to understand the security implications of having your password in a file, and restrict the read rights of that file only to the user running the openconnect command.

PS Replace YourPassword with your real password






share|improve this answer






















  • Thanks for your idea! Unfortunately there is one more user prompt before the mentioned prompt (the one where I have to insert the password). Because of this your command does not fit into this first user prompt, because during the first one the server only wants to know if I want to tunnel everything or just specific traffic. Unfortunately only in the next (= second) prompt the server will ask for the password.
    – Dave
    Aug 26 at 13:28











  • If you are placing the user in the command line, what is the nature of the other prompt? double factor auth?
    – Rui F Ribeiro
    Aug 26 at 13:29











  • In the first prompt the server is asking if I want to tunnel all traffic over the VPN or just specific one. The user prompt where I have to insert my password is the second prompt...
    – Dave
    Aug 26 at 13:32










  • I would that output/text/interaction to the question in the first place.
    – Rui F Ribeiro
    Aug 26 at 13:32







  • 1




    It is working now! I had to write the password with 'password' instead of "password"...
    – Dave
    Aug 27 at 10:01










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f464920%2fopenconnect-passing-over-user-password-when-executing-authentication-request%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
2
down vote



accepted










Usually, VPN software does not allow as input the password for a user, because it is considered a security risk.



A possible solution is feeding the password via a pipe as in:



echo -e "Tunnel allnYourPassword" | openconnect --authenticate --user=<username> "VPN host"


If we are talking about you being interested in this method to write a script:



  • be sure to understand the security implications of having your password in a file, and restrict the read rights of that file only to the user running the openconnect command.

PS Replace YourPassword with your real password






share|improve this answer






















  • Thanks for your idea! Unfortunately there is one more user prompt before the mentioned prompt (the one where I have to insert the password). Because of this your command does not fit into this first user prompt, because during the first one the server only wants to know if I want to tunnel everything or just specific traffic. Unfortunately only in the next (= second) prompt the server will ask for the password.
    – Dave
    Aug 26 at 13:28











  • If you are placing the user in the command line, what is the nature of the other prompt? double factor auth?
    – Rui F Ribeiro
    Aug 26 at 13:29











  • In the first prompt the server is asking if I want to tunnel all traffic over the VPN or just specific one. The user prompt where I have to insert my password is the second prompt...
    – Dave
    Aug 26 at 13:32










  • I would that output/text/interaction to the question in the first place.
    – Rui F Ribeiro
    Aug 26 at 13:32







  • 1




    It is working now! I had to write the password with 'password' instead of "password"...
    – Dave
    Aug 27 at 10:01














up vote
2
down vote



accepted










Usually, VPN software does not allow as input the password for a user, because it is considered a security risk.



A possible solution is feeding the password via a pipe as in:



echo -e "Tunnel allnYourPassword" | openconnect --authenticate --user=<username> "VPN host"


If we are talking about you being interested in this method to write a script:



  • be sure to understand the security implications of having your password in a file, and restrict the read rights of that file only to the user running the openconnect command.

PS Replace YourPassword with your real password






share|improve this answer






















  • Thanks for your idea! Unfortunately there is one more user prompt before the mentioned prompt (the one where I have to insert the password). Because of this your command does not fit into this first user prompt, because during the first one the server only wants to know if I want to tunnel everything or just specific traffic. Unfortunately only in the next (= second) prompt the server will ask for the password.
    – Dave
    Aug 26 at 13:28











  • If you are placing the user in the command line, what is the nature of the other prompt? double factor auth?
    – Rui F Ribeiro
    Aug 26 at 13:29











  • In the first prompt the server is asking if I want to tunnel all traffic over the VPN or just specific one. The user prompt where I have to insert my password is the second prompt...
    – Dave
    Aug 26 at 13:32










  • I would that output/text/interaction to the question in the first place.
    – Rui F Ribeiro
    Aug 26 at 13:32







  • 1




    It is working now! I had to write the password with 'password' instead of "password"...
    – Dave
    Aug 27 at 10:01












up vote
2
down vote



accepted







up vote
2
down vote



accepted






Usually, VPN software does not allow as input the password for a user, because it is considered a security risk.



A possible solution is feeding the password via a pipe as in:



echo -e "Tunnel allnYourPassword" | openconnect --authenticate --user=<username> "VPN host"


If we are talking about you being interested in this method to write a script:



  • be sure to understand the security implications of having your password in a file, and restrict the read rights of that file only to the user running the openconnect command.

PS Replace YourPassword with your real password






share|improve this answer














Usually, VPN software does not allow as input the password for a user, because it is considered a security risk.



A possible solution is feeding the password via a pipe as in:



echo -e "Tunnel allnYourPassword" | openconnect --authenticate --user=<username> "VPN host"


If we are talking about you being interested in this method to write a script:



  • be sure to understand the security implications of having your password in a file, and restrict the read rights of that file only to the user running the openconnect command.

PS Replace YourPassword with your real password







share|improve this answer














share|improve this answer



share|improve this answer








edited Aug 26 at 13:46

























answered Aug 26 at 13:23









Rui F Ribeiro

36.7k1271117




36.7k1271117











  • Thanks for your idea! Unfortunately there is one more user prompt before the mentioned prompt (the one where I have to insert the password). Because of this your command does not fit into this first user prompt, because during the first one the server only wants to know if I want to tunnel everything or just specific traffic. Unfortunately only in the next (= second) prompt the server will ask for the password.
    – Dave
    Aug 26 at 13:28











  • If you are placing the user in the command line, what is the nature of the other prompt? double factor auth?
    – Rui F Ribeiro
    Aug 26 at 13:29











  • In the first prompt the server is asking if I want to tunnel all traffic over the VPN or just specific one. The user prompt where I have to insert my password is the second prompt...
    – Dave
    Aug 26 at 13:32










  • I would that output/text/interaction to the question in the first place.
    – Rui F Ribeiro
    Aug 26 at 13:32







  • 1




    It is working now! I had to write the password with 'password' instead of "password"...
    – Dave
    Aug 27 at 10:01
















  • Thanks for your idea! Unfortunately there is one more user prompt before the mentioned prompt (the one where I have to insert the password). Because of this your command does not fit into this first user prompt, because during the first one the server only wants to know if I want to tunnel everything or just specific traffic. Unfortunately only in the next (= second) prompt the server will ask for the password.
    – Dave
    Aug 26 at 13:28











  • If you are placing the user in the command line, what is the nature of the other prompt? double factor auth?
    – Rui F Ribeiro
    Aug 26 at 13:29











  • In the first prompt the server is asking if I want to tunnel all traffic over the VPN or just specific one. The user prompt where I have to insert my password is the second prompt...
    – Dave
    Aug 26 at 13:32










  • I would that output/text/interaction to the question in the first place.
    – Rui F Ribeiro
    Aug 26 at 13:32







  • 1




    It is working now! I had to write the password with 'password' instead of "password"...
    – Dave
    Aug 27 at 10:01















Thanks for your idea! Unfortunately there is one more user prompt before the mentioned prompt (the one where I have to insert the password). Because of this your command does not fit into this first user prompt, because during the first one the server only wants to know if I want to tunnel everything or just specific traffic. Unfortunately only in the next (= second) prompt the server will ask for the password.
– Dave
Aug 26 at 13:28





Thanks for your idea! Unfortunately there is one more user prompt before the mentioned prompt (the one where I have to insert the password). Because of this your command does not fit into this first user prompt, because during the first one the server only wants to know if I want to tunnel everything or just specific traffic. Unfortunately only in the next (= second) prompt the server will ask for the password.
– Dave
Aug 26 at 13:28













If you are placing the user in the command line, what is the nature of the other prompt? double factor auth?
– Rui F Ribeiro
Aug 26 at 13:29





If you are placing the user in the command line, what is the nature of the other prompt? double factor auth?
– Rui F Ribeiro
Aug 26 at 13:29













In the first prompt the server is asking if I want to tunnel all traffic over the VPN or just specific one. The user prompt where I have to insert my password is the second prompt...
– Dave
Aug 26 at 13:32




In the first prompt the server is asking if I want to tunnel all traffic over the VPN or just specific one. The user prompt where I have to insert my password is the second prompt...
– Dave
Aug 26 at 13:32












I would that output/text/interaction to the question in the first place.
– Rui F Ribeiro
Aug 26 at 13:32





I would that output/text/interaction to the question in the first place.
– Rui F Ribeiro
Aug 26 at 13:32





1




1




It is working now! I had to write the password with 'password' instead of "password"...
– Dave
Aug 27 at 10:01




It is working now! I had to write the password with 'password' instead of "password"...
– Dave
Aug 27 at 10:01

















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f464920%2fopenconnect-passing-over-user-password-when-executing-authentication-request%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

How to check contact read email or not when send email to Individual?

Image
Clash Royale CLAN TAG #URR8PPP up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Sep 26 at 0:12 ToanLuong 49 9 add a comment  |  up vote 1 down vote favorite I'm using WordPress 4.9.8, CiviCRM to 5.5.1, I usually send email to contact by Search> Find contacts View contact details Action> Send email Send email ok, Contact received mail ok like picture But status only Email sent though contact read email or not. So, can CiviCRM can change status to Email read when contact read email? wordpress email share | improve this question asked Se
Read more

Bahrain

Image
For other uses, see Bahrain (disambiguation). Sovereign island state in the Persian Gulf Kingdom of Bahrain مملكة البحرين   (Arabic) Mamlakat al-Baḥrayn Flag Coat of arms Anthem:  نشيد البحرين الوطني Bahrainona Our Bahrain Location of   Bahrain    (circled in red) Capital and largest city Manama 26°13′N 50°35′E  /  26.217°N 50.583°E  / 26.217; 50.583 Official languages Arabic Ethnic groups (2010 [1] ) 50.7% Arab (46% Bahrani, 4.7% other Arabs) 45.5% Asian 1% European 1.2% Others Religion Islam Demonym(s) Bahraini Government Unitary constitutional monarchy • King Hamad bin Isa Al Khalifa • Crown Prince Salman bin Hamad bin Isa Al Khalifa • Prime Minister Khalifa bin Salman Al Khalifa Legislature National Assembly • Upper house Consultative Council • Lower house Council of Representatives Independence • Declared Independence [2] 14 August 1971 • from United Kingdom [1] 15 August 1971 • Admitted to the United Nations 21 September 1971 • Kingdom of Bahrain 14 February 2002
Read more

Postfix configuration issue with fips on centos 7; mailgun relay

Image
Clash Royale CLAN TAG #URR8PPP up vote 0 down vote favorite I am trying to setup postfix to relay all mail generated on the local machine via SMTP to a mailgun relay. I have used the mailgun relay before with success on an ubuntu server, but I am migrating to a Centos 7 server which I will be running in FIPS mode. There error log is below, slightly sanitized. I have a small enough network that I choose to have each machine reach out to mailgun individually (this the loopback-only, 127.0.0.0/8 restrictions) and no firewall open port allowing smtp in to the machine. I assume the FIPS mode (and with it disabling of MD5) is causing problems, but I don't know how to overcome it or if it is even possible for tls_fprint to use some supported hash such as sha256 or sha512. However, the relay=none is slightly concerning since I have relayhost set, but perhaps that is because the smtp process is failing? Any help would be appreciated! postconf -n: alias_database = hash:/etc/alia
Read more