add support for password#2 field

[benhuxley2]

    * Do not overwrite global password variable in run_pw_helper().
    * Print a helpful error message if executing a helper script for passwords failed.
    * Print a helpful error message if the SSL-VPN appliance is requesting that the password be changed before login.
    * Allow usage of the password#2 field (usually via a helper script that pops up a kdialog or similar asking for the next token code).


diff --git a/jvpn.pl b/jvpn.pl
index 1f42ef3..8a2f270 100755
--- a/jvpn.pl
+++ b/jvpn.pl
@@ -54,8 +54,10 @@ my $verifycert=$Config{"verifycert"};
 my $mode=$Config{"mode"};
 my $script=$Config{"script"};
 my $cfgpass=$Config{"password"};
+my $cfgpass2=$Config{"password2"};
 my $workdir=$Config{"workdir"};
 my $password="";
+my $password2="";
 my $hostchecker=$Config{"hostchecker"};
 my $tncc_pid = 0;
 
@@ -86,6 +88,14 @@ if(defined $cfgpass){
 }
 else { $cfgpass="interactive"; }
 
+if(defined $cfgpass2){
+       if($cfgpass2 !~ /^(interactive|helper:|plaintext:)/) {
+               print "Configuration error: password is set incorrectly ($cfgpass2), check jvpn.ini\n";
+               exit 1;
+       }
+}
+else { $cfgpass2="none"; }
+
 # set host checker mode
 $hostchecker=0 if !defined($mode);
 # set default url if needed
@@ -153,11 +163,30 @@ elsif ($cfgpass =~ /^helper:(.+)/) {
        $password=run_pw_helper($1);
 }
 
+if ($cfgpass2 eq "none") {
+       $password2="";
+}
+elsif ($cfgpass2 eq "interactive") {
+       print "Enter token code: ";
+       $password2=read_input("password");
+       print "\n";
+}
+elsif ($cfgpass2 =~ /^plaintext:(.+)/) {
+       print "Using user-defined password#2\n";
+       $password2=$1;
+       chomp($password2);
+}
+elsif ($cfgpass2 =~ /^helper:(.+)/) {
+       print "Using user-defined script to get the password#2\n";
+       $password2=run_pw_helper($1);
+}
+
 my $response_body = '';
 
 my $res = $ua->post("https://$dhost:$dport/dana-na/auth/$durl/login.cgi",
        [ btnSubmit   => 'Sign In',
        password  => $password,
+       'password#2' => $password2,
        realm => $realm,
        tz   => '60',
        username  => $username,
@@ -281,6 +310,12 @@ if ($res->is_success) {
                        $narsocket->close();
                }
        }
+
+       if ($response_body =~ /passwordChange/) {
+               print "The password for the account needs to be changed due to server-side policy, use the web interface to change it.\n";
+               exit 1;
+       }
+
        # active sessions found
        if ($response_body =~ /id="DSIDConfirmForm"/) {
                $response_body =~ m/name="FormDataStr" value="([^"]+)"/;
@@ -689,12 +724,16 @@ sub parse_config_file {
 
 sub run_pw_helper {
        my $pw_script="";
+       my $pwd;
        ($pw_script) = @_;
        if (-x $pw_script){
-               $password=`$pw_script`;
-               chomp $password;
+               $pwd=`$pw_script`;
+               chomp $pwd;
+       } else {
+               print "Could not find password helper script ($pw_script), check jvpn.ini.";
+               exit 1;
        }
-       return $password;
+       return $pwd;
 }
 
 sub tncc_start {

[rmariuzzo]

@benhuxley2 you could submit a PR instead. 😎