Prefill password in Sophos VPN

Hi Clothia C,

Thank you for reaching out to the Community! 

Are you trying to turn off the OTP?

If you’re trying to save the user credentials, the OpenVPN Client does not have a secure way to save the password. 

Thanks,

I want to save part of the credentials.

For password I have to enter a static part and a token from an auth-app.

Since the static part is about 20 characters strong, I would prefer to pre-fill that part.

Yes, just looked it up, seems to be almost the same as what the KeeOTP plugin did.

You need to go to the advanced settings of the entry in Keepass and enter a String field like this:

I believe the value of the secret found in UTM is the HEX value, so you would need to name the field: TimeOtp-Secret-Hex with the value copied from the OTP of your UTM-account.

Then you go to the Auto-Type tab in the same entry and you can configure it like so:

The Target Window can be chosen from all current open windows, so make sure to first have the VPN-client ask you to login, then configure this Auto-type entry.

In my examply I used the placeholder {totp} (which is for KeeOTP), instead you can use {timeotp}

In this example, with the screen open and the cursor in the username field, it will fill in the {USERNAME} press {TAB}, fill in the {PASSWORD} followed by the {timeotp} and then hits {ENTER}.

I have a bit more details on my blog about this.

Thanks a lot for the help.

I have read your entry and tried to follow through this. My problem is, that keepass seems to support {TIMEOTP} but I cannot find out how to connect this to the entry  within advanced.

I am getting {USERNAME}{TAB}{PASSWORD}{ENTER}{TIMEOTP}, but

The enter goes before TIMEOTP instead of after AND TIMEOTP is just not related to the secret.
I searched keypass and google, but could not find how to setup the secret.

Any idea how to find out more information about {TIMEOTP}?

And how can I ensure it does not press {ENTER} after the password?

I tried another plugin (twofactorqrcodereader).

And it seems to add the right entries to keypass, but now, I am always getting the wrong credentials.

Not sure why I am getting the additional {ENTER}.

Arrrrggghgh

In the 'Use custom keystroke....' you can manually adjust the placeholders and their order.

Thanks apijnapple.

I read your Keepass blog and it is exactly what I did, but it always opens the Keepass window at the end and it does not log me in.

Very strange.

Strange indeed. You did "have the Sophos SSL VPN client ask you for the password (so the screen is opened) when you started configuring Auto-type and you did find the correct screen? If not then Keepass wouldn't know what to type into this window.

Also in Keepass Under 'Tools' - 'Options', tab 'Integration' you can find if in your case the Auto Type is also Ctrl-Alt-A.

I open my SSL VPN client and press CTRL-ALT-A and it fills in the credentials. At the end it opens The Keepass entry for some strange reason.

Plus I am rejected from Sophos login, because of wrong credentials.

If I am adding the password (CTRL+C - CTRL+V) and use AuthPoint to get the 6 digits it works.

Try to add an autotype entry with the same settings but then for notepad application.

You can then SEE what is being sent. If you don't want to show the password, then you can just leave out {password} but especially you will want to see {timeotp} and match if this is correct with what your authenticator app is generating.

If they are different, then first check the time on both the firewall and the device with the authenticator app. Also if time is correct on both, then double check that you have actually a HEX secret and not maybe a Base32 Secret. If your secret only consists of A-Z in capitals and the numbers 2-7 then you should use BASE32 and not HEX. If you secret contains 0-9 and A-F characters then its Hex.

See the Keepass website for more information on how to configure one or the other.

Here is a screenshot

https://ibb.co/tJG4Lxk

I can see the OTP on a new line, probably you have {USERNAME}{TAB}{PASSWORD}{ENTER}{TIMEOTP} still. You can manually adjust the order to {USERNAME}{TAB}PASSWORD}{TIMEOTP}{ENTER}

Also you can check in notepad whether the 6-digit number is the same as the one from your authenticator device.

I can see the OTP on a new line, probably you have {USERNAME}{TAB}{PASSWORD}{ENTER}{TIMEOTP} still. You can manually adjust the order to {USERNAME}{TAB}PASSWORD}{TIMEOTP}{ENTER}

Also you can check in notepad whether the 6-digit number is the same as the one from your authenticator device.

I do have timeotp-enter and the number is not the same as from my authenticator device.

Strange.

You'll most likely need to choose another field name (with a different source), see keepass.info/.../placeholders.html