Mailing List Archive: vpnc secret on cmd line

vpnc secret on cmd line

guru at unixarea

Apr 27, 2016, 6:12 AM

Post #1 of 6 (3113 views)

Hello,

I'm using vpnc to connect to our company network with the following
config:

# cat /usr/local/etc/vpnc.conf
IPSec gateway xxx.xxx.xxx.xxx
IPSec ID XXXXXXXXXXX
IPSec secret XXXXXXXXXXX
Xauth username XXXXXXXXXXX
Xauth password XXXXXXXXXXX
NAT Traversal Mode cisco-udp
No Detach

When I start /usr/local/sbin/vpnc I'm asked for an additional secret
which I must generate with a RSA token, a 8-digit number, which is valid
for the rest of 60 seconds, sometimes I must wait for the 2nd number if
this rest is not long enough to type it. This works reasonable well.

Is there a way to give this number already on the cmd line like

# /usr/local/sbin/vpnc 12345678

I know, it is visible over my shoulders or with ps in the system, but
this is no risk, because it is in use or only valid for a few seconds.

Thanks

matthias

--
Matthias Apitz, âœ‰ guru@unixarea.de, âŒ‚ http://www.unixarea.de/ â˜Ž +49-176-38902045
Â¡Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA!
My Lord, give us back the problems of yesterday, those we have had in the GDR.
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Re: vpnc secret on cmd line [ In reply to ]

Apr 27, 2016, 7:50 AM

Post #2 of 6 (3098 views)

On Wed, 2016-04-27 at 15:12 +0200, Matthias Apitz wrote:
> Hello,
>
> I'm using vpnc to connect to our company network with the following
> config:
>
> # cat /usr/local/etc/vpnc.conf
> IPSec gateway xxx.xxx.xxx.xxx
> IPSec ID XXXXXXXXXXX
> IPSec secret XXXXXXXXXXX
> Xauth username XXXXXXXXXXX
> Xauth password XXXXXXXXXXX
> NAT Traversal Mode cisco-udp
> No Detach
>
> When I start /usr/local/sbin/vpnc I'm asked for an additional secret
> which I must generate with a RSA token, a 8-digit number, which is
> valid
> for the rest of 60 seconds, sometimes I must wait for the 2nd number
> if
> this rest is not long enough to type it. This works reasonable well.
>
> Is there a way to give this number already on the cmd line like
>
> # /usr/local/sbin/vpnc 12345678

This additional secret is requested by the VPN server when it is
required, and currently there isn't any way to enter this number on the
command line with vpnc.

Dan
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Re: vpnc secret on cmd line [ In reply to ]

marcus at hostalia

Apr 27, 2016, 7:56 AM

Post #3 of 6 (3101 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Matthias,

uh
>> I know, it is visible over my shoulders or with ps in the system,
>> but this is no risk, because it is in use or only valid for a few
>> seconds.

I hope we both agree that this isn't a safe assumption. Someone having
access to ps on your machine would then have a generous 60s to
(automatedly?) abuse that token.

However, shouldn't it just work if you connected stdin and stdout of
your vpnc instance to your own program and parsed the output of VPNC,
looking for the challenge, and then pipe in the one-time token, e.g.
read from a private file?

Best regards,
Marcus

On 04/27/2016 03:12 PM, Matthias Apitz wrote:
>
> Hello,
>
> I'm using vpnc to connect to our company network with the
> following config:
>
> # cat /usr/local/etc/vpnc.conf IPSec gateway xxx.xxx.xxx.xxx IPSec
> ID XXXXXXXXXXX IPSec secret XXXXXXXXXXX Xauth username XXXXXXXXXXX
> Xauth password XXXXXXXXXXX NAT Traversal Mode cisco-udp No Detach
>
> When I start /usr/local/sbin/vpnc I'm asked for an additional
> secret which I must generate with a RSA token, a 8-digit number,
> which is valid for the rest of 60 seconds, sometimes I must wait
> for the 2nd number if this rest is not long enough to type it. This
> works reasonable well.
>
> Is there a way to give this number already on the cmd line like
>
> # /usr/local/sbin/vpnc 12345678
>
> I know, it is visible over my shoulders or with ps in the system,
> but this is no risk, because it is in use or only valid for a few
> seconds.
>
> Thanks
>
> matthias
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXINMFAAoJEAFxB7BbsDrL40YIAJr8AnCKkYs7YB+7DPqaF+yy
6/ecdN6whETwUvFr4UrfgVEcgoyNlOPcb1AikQ6GAyxvUsb+jb9hYn09FWYAIBE0
5ZUINg3BdiEVXF1/M3tQAWLOV7LRTxtFdhLgPgwpoNi9AMoKAeyeBLuuMYEu1E/t
klPEFJafSQDk2twoLi4kJnoHbYYSqkUZP7c1rCP4kxnmxywIgLeq6jR+k2nH3oWm
5vT1pHXAg9Cw26mTnJ0edQjm8Q0CtPz8r23vWNg1Gp5BbwWCmwCbIhCFF1kiwr/+
Ec55Oi5CY9ZY13lRGcqNiUVI4cuibE1uyECD+MzGT03npR4wyuN1QVmdxsn+8sY=
=4pfY
-----END PGP SIGNATURE-----
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Re: vpnc secret on cmd line [ In reply to ]

guru at unixarea

Apr 27, 2016, 7:59 AM

Post #4 of 6 (3100 views)

El dÃa Wednesday, April 27, 2016 a las 09:50:49AM -0500, Dan Williams escribiÃ³:

> > Is there a way to give this number already on the cmd line like
> >
> > # /usr/local/sbin/vpnc 12345678
>
> This additional secret is requested by the VPN server when it is
> required, and currently there isn't any way to enter this number on the
> command line with vpnc.
>
> Dan

Hi Dan,
Thanks. Is there a structured way for feature requests, CR, some bugzilla,
launchpad, Jira, Gnats, ...?

matthias
--
Matthias Apitz, âœ‰ guru@unixarea.de, âŒ‚ http://www.unixarea.de/ â˜Ž +49-176-38902045
Â¡Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA!
My Lord, give us back the problems of yesterday, those we have had in the GDR.
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Re: vpnc secret on cmd line [ In reply to ]

guru at unixarea

Apr 27, 2016, 8:13 AM

Post #5 of 6 (3097 views)

El dÃa Wednesday, April 27, 2016 a las 04:56:06PM +0200, Marcus MÃ¼ller escribiÃ³:

> >> I know, it is visible over my shoulders or with ps in the system,
> >> but this is no risk, because it is in use or only valid for a few
> >> seconds.
>
> I hope we both agree that this isn't a safe assumption. Someone having
> access to ps on your machine would then have a generous 60s to
> (automatedly?) abuse that token.

I was told the token is invalidated once you loged in with it, i.e. you
can't use it twice and must wait for the next token. ANd you do not have
60 secs, but only a few rest of secs. It counts down and when I hit
enter I could do it in the last 2-3 secs.

> However, shouldn't it just work if you connected stdin and stdout of
> your vpnc instance to your own program and parsed the output of VPNC,
> looking for the challenge, and then pipe in the one-time token, e.g.
> read from a private file?

I will test it, but think vpnc will not read stdin, but the controlling
tty.

matthias
--
Matthias Apitz, âœ‰ guru@unixarea.de, âŒ‚ http://www.unixarea.de/ â˜Ž +49-176-38902045
Â¡Dios querido denos otra vez los problemas de ayer, los que tuvimos en la RDA!
My Lord, give us back the problems of yesterday, those we have had in the GDR.
_______________________________________________
vpnc-devel mailing list
vpnc-devel@unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/

Re: vpnc secret on cmd line [ In reply to ]

dwmw2 at infradead

Jun 6, 2016, 3:40 AM

Post #6 of 6 (3029 views)

On Wed, 2016-04-27 at 16:56 +0200, Marcus MÃ¼ller wrote:
>
> However, shouldn't it just work if you connected stdin and stdout of
> your vpnc instance to your own program and parsed the output of VPNC,
> looking for the challenge, and then pipe in the one-time token, e.g.
> read from a private file?

Or used libstoken to generate the tokencode on demand, instead of
feeding it in externally.

--
dwmw2