Handle password change request

[tetebueno]

Hi, I really don't know what kind of information to provide since I can't really control the companies' user administration. The point is that all passwords were reseted so I needed to provide a new password upon next connection to the VPN; using OpenFortiGUI I tried connecting and nothing happened. When I tried on a computer with Win, it just popped up a request for changing the password.

So, steps to reproduce:

• Force change password on account,
• connect to the VPN

Expected behaviour:

• Request to provide new password.

Actual behaviour:

• Nothing happens.

I'd be glad to provide logs if I knew where to get them.

Please let me know if there's anything else I can provide to help.

Cheers.

[danotrampus]

Same here.

[angela-d]

Are your machines using openfortigui domain-joined?

It sounds like they've initiated a password expiry through something like Active Directory.. so unless your Linux machine is joined to the domain using something like Centrify or similar software, it might have the faculties to know a password expiry has taken place.

Your password prompt on Windows, is coming from the OS, not Forticlient, correct? If so, this is not so much VPN-related, but domain machine related. If that is the case, you will have to hop on a domain-joined machine to update your password.

[tetebueno]

Hi, I'm checking with sysadmins if we're domain-joined. I do know that the password expire was made through AD.

In any case, what I inteded to do was the same I did with FortiClientVPN for Windows; even though I wasn't on the same domain, I got the password renew prompt upon connection.

Maybe I'm missing something for not knowing the details behind Fortinet VPNs' connections, but the idea behind the issue is to be able to replace the Windows client with this project on a Linux box, and this seems to be a difference in behaviours.

[theinvisible]

Hi, thanks for your request.

As @angela-d mentioned i dont now if this works really. We also have domain-joind linux boxes (UCS) but we already get password change request on OS login. We also never tried password change via FortiClient. If this should work via VPN Client the Fortigate must ask for the new password and then forward to AD/LDAP.

This project is based on openfortivpn, so maybe you try first if openfortivpn can handle it. If yes i can try to intercept the request (as like for OTP) and prompt for the new password via GUI. Maybe you can also provide some logs with debug enabled so we can see if fortigate asks for a password.

[danotrampus]

I can confirm that openfortivpn handles the request that prompts for new password upon credentials expiracy, and it also changed my password in AD/LDAP.

Using OpenFortiGUI i get the following logs when i press on connect:
INFO: Start tunnel.
INFO: Connected to gateway.

The connection never changes his state.

[theinvisible]

Okay, maybe you can post a screenshot with the prompt from openfortivpn, so i can get a glue. Also make sure you enable Debug Log (in VPN Settings), then it should log more verbose.

[danotrampus]

Ok, i will, but first i have to wait until my credentials gets expired. Then i will attempting to login and openfortivpn should promp me for enter a new password.
Please do not close this issue. I think my credetencials gets expired in approximately 10 days.

[danotrampus]

As promise, here is the log you requested. Please, note the prompt "Please select a new one:" referred to enter the new password for the domain account:

openfortivpn --version
1.6.0

sudo openfortivpn xxx.xxx.xxx.xxx:yyyy -v -v -u ZZZZZ --no-dns --pppd-no-peerdns --trusted-cert WWWWWWWWWW
WARN:   Bad port in config file: "0".
DEBUG:  Loaded config file "/etc/openfortivpn/config".
VPN account password: 
DEBUG:  Config host = "xxx.xxx.xxx.xxx"
DEBUG:  Config realm = ""
DEBUG:  Config port = "yyyy"
DEBUG:  Config username = "ZZZZZ"
DEBUG:  Config password = "********"
DEBUG:  server_addr: xxx.xxx.xxx.xxx
DEBUG:  server_port: yyyy
DEBUG:  gateway_addr: xxx.xxx.xxx.xxx
DEBUG:  gateway_port: yyyy
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
Please select a new one:
DEBUG:  Error reading from SSL connection (Protocol violation with EOF).
DEBUG:  server_addr: xxx.xxx.xxx.xxx
DEBUG:  server_port: yyyy
DEBUG:  gateway_addr: xxx.xxx.xxx.xxx
DEBUG:  gateway_port: yyyy
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
Two-factor authentication token: 
DEBUG:  Error reading from SSL connection (Protocol violation with EOF).
DEBUG:  server_addr: xxx.xxx.xxx.xxx
DEBUG:  server_port: yyyy
DEBUG:  gateway_addr: xxx.xxx.xxx.xxx
DEBUG:  gateway_port: yyyy
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  Cookie: SVPNCOOKIE=WWWWWWWWWW
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE=WWWWWWWWWW
INFO:   Remote gateway has allocated a VPN.
DEBUG:  server_addr: xxx.xxx.xxx.xxx
DEBUG:  server_port: yyyy
DEBUG:  gateway_addr: xxx.xxx.xxx.xxx
DEBUG:  gateway_port: yyyy
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  pppd_read_thread
DEBUG:  ssl_read_thread
DEBUG:  if_config thread
DEBUG:  ssl_write_thread
DEBUG:  pppd_write thread
DEBUG:  pppd ---> gateway (16 bytes)

DEBUG:  gateway ---> pppd (12 bytes)

.
.
.

DEBUG:  Got Address: xxx.xxx.xxx.xxx
DEBUG:  pppd ---> gateway (6 bytes)
pppd:   80 21 02 67 00 04

DEBUG:  if_config: not ready yet...
DEBUG:  Got Address: xxx.xxx.xxx.xxx
DEBUG:  Interface Name: ppp0
DEBUG:  Interface Addr: xxx.xxx.xxx.xxx
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
DEBUG:  ip route show to 0.0.0.0/0.0.0.0
DEBUG:  Setting route to vpn server...
DEBUG:  ip route add to xxx.xxx.xxx.xxx/255.255.255.255 via xxx.xxx.xxx.xxx dev wlp2s0
DEBUG:  ip route add to xxx.xxx.xxx.xxx/255.255.0.0 via xxx.xxx.xxx.xxx dev ppp0
INFO:   Tunnel is up and running.
DEBUG:  pppd ---> gateway (197 bytes)
.
.
.

INFO:   Setting ppp interface down.
INFO:   Restoring routes...
DEBUG:  ip route del to xxx.xxx.xxx.xxx/255.255.255.255 via 192.168.0.1 dev wlp2s0
DEBUG:  Waiting for pppd to exit...
DEBUG:  waitpid: pppd exit status code 16
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
DEBUG:  server_addr: xxx.xxx.xxx.xxx
DEBUG:  server_port: yyyy
DEBUG:  gateway_addr: xxx.xxx.xxx.xxx
DEBUG:  gateway_port: yyyy
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Logged out.

[theinvisible]

Thanks for your log, it seems like the text is send from your AD-Server so i cant trigger some action on static text. As far as i can see this input is handled by the OTP userinput method in openfortivpn. But i can also see that the keyword "Please" is already in the trigger list here so it should also show the "OTP" prompt dialog.

[bcfreitas]

Same problem here. I need to use openfortivpn command line to change password.

[LvargaDS]

Seems that changing exspired password is possible using openfortivpn cli.

When I was trying to use openfortivpn with just expired password, I have seen it like this:

sudo openfortivpn -c /my/secreet/config/withPwd
INFO:   Connected to gateway.
Please select a new one: <CTRL+C pressed>
ERROR:  No OTP specified
ERROR:  Could not authenticate to gateway. Please check the password, client certificate, etc.
INFO:   Closed connection to gateway.
INFO:   Logged out.

After I gout gourage, I have tried and enterred new password to the prompt:

sudo openfortivpn -c /my/secreet/config/withPwd
INFO:   Connected to gateway.
Please select a new one: <entered new pwd and pressed enter>
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
Using interface ppp0
Connect: ppp0 <--> /dev/pts/7
INFO:   Got addresses ......