OpenConnect Package Issue in Ubuntu 22.04 (Jammy) - MFA Authentication Failure
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openconnect (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Dear Maintainer,
I hope this message finds you well. I am writing to report a bug related to the OpenConnect package in Ubuntu 22.04 (Jammy). The current version of OpenConnect in the Jammy repositories is 8.20.1, and I have encountered a critical issue with Multi-Factor Authentication (MFA) that I believe requires attention.
Bug Description:
----------------
The issue arises when attempting to authenticate using a Multi-Factor Authentication (MFA) mechanism sent by the server in HTML format. The current version of OpenConnect in the Jammy repositories seems to struggle with properly parsing this type of MFA, resulting in authentication failures. As MFA is becoming increasingly prevalent for secure network access, this bug significantly impacts the usability of the OpenConnect package.
Log:
-----
# sudo openconnect -v --protocol=gp 189.9.32.250 -u anilton.junior
POST https:/
Tentando conectar ao servidor 189.9.32.250:443
Conectado a 189.9.32.250:443
Negociação SSL com 189.9.32.250
Verificação do certificado do servidor falhou: signatário não encontrado
Certificado do servidor VPN “189.9.32.250” falhou na verificação.
Motivo: signatário não encontrado
Para confiar neste servidor no futuro, você pode adicionar isso a sua linha de comando:
--servercert pin-sha256:
Digite “sim” para aceitar, “não” para abortar; qualquer outra tecla para visualizar: sim
Conectado ao HTTP no 189.9.32.250 com suíte criptografada (TLS1.2)
Obteve resposta HTTP: HTTP/1.1 200 OK
Date: Tue, 28 Nov 2023 13:48:09 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 475
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-
X-XSS-Protection: 1; mode=block
X-Content-
Content-
Corpo de HTTP length: (475)
Prelogin form _login: "Username: " user(TEXT)=(null), "Password: " passwd(PASSWORD)
Enter login credentials
Password:
POST https:/
Obteve resposta HTTP: HTTP/1.1 200 OK
Date: Tue, 28 Nov 2023 13:48:11 GMT
Content-Type: application/xml; charset=UTF-8
Content-Length: 9136
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-
X-XSS-Protection: 1; mode=block
X-Content-
Content-
Corpo de HTTP length: (9136)
Portal definiu intervalo de relatório HIP para 60 minutos.
1 servidores gateway disponíveis:
VPN-MFA (189.9.32.250)
Por favor, selecione o gateway GlobalProtect.
GATEWAY: [VPN-MFA]:VPN-MFA
POST https:/
Obteve resposta HTTP: HTTP/1.1 200 OK
Date: Tue, 28 Nov 2023 13:48:12 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 185
Connection: keep-alive
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
X-Frame-Options: DENY
Strict-
X-XSS-Protection: 1; mode=block
X-Content-
Content-
Corpo de HTTP length: (185)
Falha ao analisar resposta do servidor
Resposta foi: <html>
<head></head>
<body>
var respStatus = "Challenge";
var respMsg = "Enter Your Microsoft verification code";
thisForm.
</body>
</html>
Falha ao completar autenticação
Additional Information:
-------
The error message "Falha ao analisar resposta do servidor" translates to "Failure to parse the server response"
Please let me know if you require further information or if there are specific steps I should take to assist in resolving this issue. Your prompt attention to this matter is highly appreciated.
Thank you,
Anilton Junior
