TOTP with Static Password Prefix

Got a problem with Viscosity or need help? Ask here!

LNGR

Posts: 1
Joined: Fri Apr 16, 2021 1:29 am

Post by LNGR » Fri Apr 16, 2021 1:38 am
Hi all,

I'm using Viscosity against a Sophos UTM firewall that is not under my control. It is using username/password based authentication, HOWEVER, the password is of the following format:

<static secret key><TOTP>

where <static secret key> is a static string that changes only yearly and the TOTP is the TOTP assigned to my account. On connecting, I always have to type the static secret key, which is quite long, plus the TOTP.
(See e.g. step 5 in https://www.fastvue.co/sophos/blog/two- ... istrators/)

I'd like to automate this somehow.

Is there a way to tell Viscosity to only ask for the the TOTP and then build the password given a format string or something?

I also own a Yubikey 5 NFC, is there a way to get rid of the typing at all, such that I can tap the button on my yubikey and that's it?

Thanks for any pointers how I could achieve this

Alex

James

User avatar
Posts: 2077
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Fri Apr 16, 2021 4:31 am
Hi Alex,

Ideally the server should be re-configured to make use of OpenVPN's challenge support, which is designed for just such situations by separating out the password and two-factor prompts.

However, as you mention the server is outside of your control, your best bet is to make sure of Viscosity's Pre-Connection Credentials feature. This feature lets you run a custom script that specify the username and password the connection should use. More information can be found at:
https://www.sparklabs.com/support/kb/ar ... redentials

For example, I've put together a quick sample script below. Copy-paste it into the Script Editor application, and replace myusername and mystaticpassword with your username and the static password that doesn't change. Save the script, and then set it as a "Before Connect Script". More information on how to do this can be found at:
https://www.sparklabs.com/support/kb/ar ... connected/

This script will prompt you for your OTP when you go to connect your connection: you should just be able to hit the button on your YubiKey to fill out this field. It'll then return the correct password to use to Viscosity.
Code: Select all
tell application "Viscosity"
	set username to "myusername"
	set staticPassword to "mystaticpassword"
	
	try
		set response to display dialog "Please enter the OTP:" default answer "" with title (system attribute "displayName") with icon note buttons {"Cancel", "OK"} default button "OK"
		if button returned of response is "OK" then
			return "userpass " & username & " " & staticPassword & (text returned of response)
		end if
	end try
	
	return "ViscosityNoConnect"
end tell
James Bekkema
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
2 posts Page 1 of 1