Skip to content
TOTP with Static Password Prefix
Got a problem with Viscosity or need help? Ask here!
Hi all,
I'm using Viscosity against a Sophos UTM firewall that is not under my control. It is using username/password based authentication, HOWEVER, the password is of the following format:
<static secret key><TOTP>
where <static secret key> is a static string that changes only yearly and the TOTP is the TOTP assigned to my account. On connecting, I always have to type the static secret key, which is quite long, plus the TOTP.
(See e.g. step 5 in https://www.fastvue.co/sophos/blog/two- ... istrators/)
I'd like to automate this somehow.
Is there a way to tell Viscosity to only ask for the the TOTP and then build the password given a format string or something?
I also own a Yubikey 5 NFC, is there a way to get rid of the typing at all, such that I can tap the button on my yubikey and that's it?
Thanks for any pointers how I could achieve this
Alex
I'm using Viscosity against a Sophos UTM firewall that is not under my control. It is using username/password based authentication, HOWEVER, the password is of the following format:
<static secret key><TOTP>
where <static secret key> is a static string that changes only yearly and the TOTP is the TOTP assigned to my account. On connecting, I always have to type the static secret key, which is quite long, plus the TOTP.
(See e.g. step 5 in https://www.fastvue.co/sophos/blog/two- ... istrators/)
I'd like to automate this somehow.
Is there a way to tell Viscosity to only ask for the the TOTP and then build the password given a format string or something?
I also own a Yubikey 5 NFC, is there a way to get rid of the typing at all, such that I can tap the button on my yubikey and that's it?
Thanks for any pointers how I could achieve this
Alex
Hi Alex,
Ideally the server should be re-configured to make use of OpenVPN's challenge support, which is designed for just such situations by separating out the password and two-factor prompts.
However, as you mention the server is outside of your control, your best bet is to make sure of Viscosity's Pre-Connection Credentials feature. This feature lets you run a custom script that specify the username and password the connection should use. More information can be found at:
https://www.sparklabs.com/support/kb/ar ... redentials
For example, I've put together a quick sample script below. Copy-paste it into the Script Editor application, and replace myusername and mystaticpassword with your username and the static password that doesn't change. Save the script, and then set it as a "Before Connect Script". More information on how to do this can be found at:
https://www.sparklabs.com/support/kb/ar ... connected/
This script will prompt you for your OTP when you go to connect your connection: you should just be able to hit the button on your YubiKey to fill out this field. It'll then return the correct password to use to Viscosity.
Ideally the server should be re-configured to make use of OpenVPN's challenge support, which is designed for just such situations by separating out the password and two-factor prompts.
However, as you mention the server is outside of your control, your best bet is to make sure of Viscosity's Pre-Connection Credentials feature. This feature lets you run a custom script that specify the username and password the connection should use. More information can be found at:
https://www.sparklabs.com/support/kb/ar ... redentials
For example, I've put together a quick sample script below. Copy-paste it into the Script Editor application, and replace myusername and mystaticpassword with your username and the static password that doesn't change. Save the script, and then set it as a "Before Connect Script". More information on how to do this can be found at:
https://www.sparklabs.com/support/kb/ar ... connected/
This script will prompt you for your OTP when you go to connect your connection: you should just be able to hit the button on your YubiKey to fill out this field. It'll then return the correct password to use to Viscosity.
Code: Select all
tell application "Viscosity"
set username to "myusername"
set staticPassword to "mystaticpassword"
try
set response to display dialog "Please enter the OTP:" default answer "" with title (system attribute "displayName") with icon note buttons {"Cancel", "OK"} default button "OK"
if button returned of response is "OK" then
return "userpass " & username & " " & staticPassword & (text returned of response)
end if
end try
return "ViscosityNoConnect"
end tell
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
2 posts
Page 1 of 1