Two-factor authentication about openfortivpn HOT 30 CLOSED

Hi Ralf,

I had a look to your code and it doesn't look bad.

Since I've never used these new authentication methods (2FA, OTP...) with Fortinet VPNs, I'd really like to hear what other contributors think of your OTP change.

Especially, we must make sure it does not break behavior for older regular VPNs (I'm thinking about src/http.c at line 494).

from openfortivpn.

I think we can close this one since for #365 there is a fix included in 1.7.1

from openfortivpn.

@schlatterbeck yes please provide the HTTP requests/responses during the authentication phase (minus any sensitive information of course). It should help to diagnose what's going wrong.

The interesting code here is in the auth_log_in function in src/http.c. Please check if it's the first or second header check (i.e., before or during two-factor auth) that's returning ERR_HTTP_BAD_RES_CODE.

If there's nothing obvious that jumps out from that info, it would also be very useful to have the HTTP requests/responses from the official fortinet client when connecting to the same VPN. For example, there's two code fields (code= and code2=). Since I have no idea what code2= is supposed to convey and it wasn't used in the VPNs I tested with when adding the two-factor support, we send it empty. Perhaps your gateway is expecting some data there? Having the dialog from the official client to compare should help determine that.

from openfortivpn.

@dsgwork Thanks for taking care of this :)

(I don't have access to a Fortinet VPN anymore)

from openfortivpn.

from openfortivpn.

from openfortivpn.

This is interesting. Looks like this is a different method of two-factor authentication. I guess these are physical tokens giving you the second factor?

The two-factor setups I've worked with were SMS-based, so the second factor authentication SMS is only delivered after the initial call to /remote/logincheck, and the client then calls it again with the received token once it's been delivered.

In this case it seems the token and password are both requested at the same time. As you say, the expected behaviour is obvious (just stuff the token into the magic= parameter in the first call to /remote/logincheck).

A quick-and-dirty hack to let the client ask for the 2FA code and stuff it into the first call should be easy to do, and would allow you to connect. A proper patch fit for upstreaming would likely need to change the auth_log_in function to parse the response body from the first call, see if there is an input field in the form with NAME="magic" and if so, request 2FA code and add it to the second call. I don't think there's any plumbing for this, as we currently only look at the HTTP headers during this stage. This isn't terribly difficult, but I don't expect I'll have time to make a patch in a reasonable timeframe these days (and since I don't have access to any VPNs with a similar setup, I couldn't test it either). If you can cook something up that would be great!

How would you debug the original client? I've used an ssl mitm proxy in the past, but maybe there's an easier way?

Unfortunately no, IIRC I used stunnel as a SSL MitM proxy last time I needed to do this. But I think in this case it's not needed, as we have a clear idea of what needs to be done on the client side. Just need someone to make the proper modifications.

from openfortivpn.

from openfortivpn.

from openfortivpn.

Hi all,

Finally got my VPN sorted again (password had expired so I couldn't test before). I can confirm the SMS-based 2FA authentication still works with the patch applied.

Code looks good to me, 👍 for inclusion :)

from openfortivpn.

from openfortivpn.

from openfortivpn.

I tried to connect with openfortivpn to a fortisslvpn which has 2FA enabled through a radius server and it fails to connect, this is the console output:

[fretn@latika ~]$ sudo openfortivpn vpn.host.com:443 -vvv -u username -p password --trusted-cert fb4d377259083b5b606da9a46ab3bac569bc96a14a8cc5c509bc35d563fd198b3
WARN:   You should not pass the password on the command line. Type it interactively or use a config file instead.
WARN:   Bad port in config file: "0".
DEBUG:  Loaded config file "/usr/local/Cellar/openfortivpn/1.6.0/etc/openfortivpn/config".
DEBUG:  Config host = "vpn.host.com"
DEBUG:  Config realm = ""
DEBUG:  Config port = "443"
DEBUG:  Config username = "username"
DEBUG:  Config password = "********"
DEBUG:  server_addr: 123.124.125.126
DEBUG:  server_port: 443
DEBUG:  gateway_addr: 123.124.125.126
DEBUG:  gateway_port: 443
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
Please enter one-time password:
DEBUG:  Error reading from SSL connection (Protocol violation with EOF).
DEBUG:  server_addr: 123.124.125.126
DEBUG:  server_port: 443
DEBUG:  gateway_addr: 123.124.125.126
DEBUG:  gateway_port: 443
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  Cookie: SVPNCOOKIE=kbvtdDj0LpMyEGClFOZpCmPGPhj/Wf5j3lzB/Yt4wGtQsYBy1Kx1C96ObRaF1XG20cSk4OF989paCVYpBfrBWNZta0RT0JyFjQy+yQrFxIoZ2e0cmbjlwAlzLN59Yjx9aZkyWLP9pkwXVM5qDTy9QFbAGI7Fr2ewBCOlqXCu/IntIW2V3d31sHnMCh/83HTZj67M2AWJp/PZspdm4tEE/xg==
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE=kbvtdDj0LpMyEGClFOZpCmPGPhj/Wf5j3lzB/Yt4wGtQsYBy1Kx1C96ObRaF1XG20cSk4OF989paCVYpBfrBWNZta0RT0JyFjQy+yQrFxIoZ2e0cmbjlwAlzLN59Yjx9aZkyWLP9pkwXVM5qDTy9QFbAGI7Fr2ewBCOlqXCu/IntIW2V3d31sHnMCh/83HTZj67M2AWJp/PZspdm4tEE/xg==
INFO:   Remote gateway has allocated a VPN.
DEBUG:  server_addr: 123.124.125.126
DEBUG:  server_port: 443
DEBUG:  gateway_addr: 123.124.125.126
DEBUG:  gateway_port: 443
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  pppd_read_thread
DEBUG:  ssl_read_thread
DEBUG:  ssl_write_thread
DEBUG:  if_config thread
ERROR:  Received bad header from gateway:
  (hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 33 20 41 70 72 20 32 30 31 38 20 30 38 3a 30 35 3a 32 36 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 78 78 78 78 78 78 78 78 2d 78 78 78 78 78 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 66 72 61 6d 65 2d 61 6e 63 65 73 74 6f 72 73 20 27 73 65 6c 66 27 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65 63 74 69 6f 6e 3a 20 31 3b 20 6d 6f 64 65 3d 62 6c 6f 63 6b 0d 0a 0d 0a 36 36 61 20 20

  (raw) HTTP/1.1 403 Forbidden.
Date: Fri, 13 Apr 2018 08:05:26 GMT.
Server: xxxxxxxx-xxxxx.
Transfer-Encoding: chunked.
Content-Type: text/html.
X-Frame-Options: SAMEORIGIN.
Content-Security-Policy: frame-ancestors 'self'.
X-XSS-Protection: 1; mode=block.
.
66a 
[fretn@latika ~]$

from openfortivpn.

@fretn Which version of openfortivpn are you running? Vanilla 1.6.0 or the latest version available from git?

from openfortivpn.

I was looking into this, too, and it's quite strange.
It already sais "INFO: Remote gateway has allocated a VPN." and even goes into io_loop as we can see at the startup of the pthreads, and at this point suddenly the ssl_read thread receives a HTTP/1.1 403 Forbidden header. So, in run_tunnel we have already reached io_loop around here
I was thinking if this could be a timing issue with the threads, but all the authentication stuff happens already before threads come into play.

from openfortivpn.

By the way is this message to be expected?
DEBUG: Error reading from SSL connection (Protocol violation with EOF).

from openfortivpn.

@DimitriPapadopoulos latest one in homebrew (macos) Vanilla 1.6.0

and now I just tried git version on linux and it fails too, see below

[frlae@modimo openfortivpn]$ sudo ./openfortivpn vpn.host.com:443 -vvv -u username -p 'password' --trusted-cert fb4d377259083b5b606da9a46ab3a4066bc96a14a8cc5c509bc35d563fd198b3
WARN:   You should not pass the password on the command line. Type it interactively or use a config file instead.
WARN:   Could not load config file "/usr/local/etc/openfortivpn/config" (No such file or directory).
DEBUG:  Config host = "vpn.host.com"
DEBUG:  Config realm = ""
DEBUG:  Config port = "443"
DEBUG:  Config username = "username"
DEBUG:  Config password = "********"
DEBUG:  server_addr: 123.124.125.126
DEBUG:  server_port: 443
DEBUG:  gateway_addr: 123.124.125.126
DEBUG:  gateway_port: 443
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
Please enter one-time password:
DEBUG:  Error reading from SSL connection (Protocol violation with EOF).
DEBUG:  server_addr: 123.124.125.126
DEBUG:  server_port: 443
DEBUG:  gateway_addr: 123.124.125.126
DEBUG:  gateway_port: 443
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  Cookie: SVPNCOOKIE=vtktdDj0LpMyEGClFOZpCmPGPhj/Wf5j3lzB/Yt4wGtQsYBy1Kx1C96ObRaF1XG20cSk4OF989paCVYpBfrBWNZta0RT0JyFjQy+yQrFxIoZ2e0cmbjlwAlzLN59Yjx9aZkyWLP9pkwXVM5qDTy9QFbAGI7Fr2ewBCOlqXCu/IntIW2V3d31sHnMCh/83HTZj67M2AWJp/PZspdm4tEE/bc==
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE=vtktdDj0LpMyEGClFOZpCmPGPhj/Wf5j3lzB/Yt4wGtQsYBy1Kx1C96ObRaF1XG20cSk4OF989paCVYpBfrBWNZta0RT0JyFjQy+yQrFxIoZ2e0cmbjlwAlzLN59Yjx9aZkyWLP9pkwXVM5qDTy9QFbAGI7Fr2ewBCOlqXCu/IntIW2V3d31sHnMCh/83HTZj67M2AWJp/PZspdm4tEE/bc==
INFO:   Remote gateway has allocated a VPN.
DEBUG:  server_addr: 123.124.125.126
DEBUG:  server_port: 443
DEBUG:  gateway_addr: 123.124.125.126
DEBUG:  gateway_port: 443
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  pppd_read thread
DEBUG:  ssl_write thread
DEBUG:  ssl_read thread
DEBUG:  if_config thread
ERROR:  Received bad header from gateway:
  (hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 46 72 69 2c 20 31 33 20 41 70 72 20 32 30 31 38 20 30 39 3a 32 39 3a 33 36 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 78 78 78 78 78 78 78 78 2d 78 78 78 78 78 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 66 72 61 6d 65 2d 61 6e 63 65 73 74 6f 72 73 20 27 73 65 6c 66 27 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65 63 74 69 6f 6e 3a 20 31 3b 20 6d 6f 64 65 3d 62 6c 6f 63 6b 0d 0a 0d 0a 36 36 61 20 20

  (raw) HTTP/1.1 403 Forbidden.
Date: Fri, 13 Apr 2018 09:29:36 GMT.
Server: xxxxxxxx-xxxxx.
Transfer-Encoding: chunked.
Content-Type: text/html.
X-Frame-Options: SAMEORIGIN.
Content-Security-Policy: frame-ancestors 'self'.
X-XSS-Protection: 1; mode=block.
.
66a 
INFO:   Cancelling threads...
DEBUG:  Waiting for pppd to exit...
DEBUG:  waitpid: pppd terminated by signal 1
ERROR:  pppd: terminated by signal: Hangup
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
DEBUG:  server_addr: 123.124.125.126
DEBUG:  server_port: 443
DEBUG:  gateway_addr: 123.124.125.126
DEBUG:  gateway_port: 443
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Logged out.
[frlae@modimo openfortivpn]$

from openfortivpn.

Have you perhaps tried the proprietary FortiClient and if so does it work?

from openfortivpn.

very good point, the proprietary client doesn't work either, it worked in the beginning of the week, so nevermind above messages, something else is going on

from openfortivpn.

Here are a few similar issues found online:

• SSL-VPN not working
• Bad header from gateway (403 Forbidden)

Looks like an issue with the FortiGate device. Not sure how to improve the error message though. Perhaps it would help if you could show us the error displayed by FortiClient.

from openfortivpn.

It makes sense now, @fretn you had the permission to access the web portal, but you didn't have the permission to open a tunnel. Mapping the permissions to groups/users sometimes is difficult to understand. I once couldn't log in until I have added a firewall rule that allowed me to access anything. My interpretation was that if FortiOS notices that a particular account has no permissions to access any location on any network, it optimizes the account away and doesn't even allow it to log in.

For the record, if all the authentication stuff works and establishing the ppp tunnel fails with a 403 Forbidden it's probably due to the missing permission to open a tunnel.

from openfortivpn.

Yes that was indeed the issue. I didn’t try that specific user with the official client, I only tried the portal. Sorry for wasting your time

from openfortivpn.

The OTP support is somehow working:
'''-o foobar''' and then i get asked for the real token '''Two-factor authentication token:'''
So i don't provide the current token on the command line, i just activate OTP by using the switch.

Is it possible to switch it on via configuration file?

from openfortivpn.

from openfortivpn.

Something is different then.

• Server is using OTP.
• Without "--otp foobar" there is no prompt for the token.
• When i use "--otp VALIDTOKEN" i get asked for the token and use the same VALIDTOKEN as on the command line to establish the connection.

So it does not matter what i provide after "--otp", for me it just somehow activates the prompt.

from openfortivpn.

from openfortivpn.

Same symptoms as @thackel here. I would expect that if --otp is provided as an argument, there should be no additional prompt for the token.

The current behaviour also makes it impossible to use the NetworkManager applet, since the applet does not create a GUI prompt for the token but (presumably, I have not read the code) adds the token as an argument instead.

Edit: FYI, we use the FortiGate phone app which generates tokens, so the token is available at the start of auth. But indeed, this may have something to do with server configuration still.

from openfortivpn.

@choonge I suggest opening a new ticket. This issue has become intractable.

from openfortivpn.

Thanks @DimitriPapadopoulos - created #365

from openfortivpn.

Just for documentation: For me specifying the one-time token from my TOTP hardware token on the command-line with something like
--otp number
where number is (for my token) a 6-digit number still works fine for me with the latest version from git and without prompting me for a password.

So the question is: What sort of one-time password do you have? In my case it is generated by a hardware-token.

from openfortivpn.