Commit b6dc8211 authored by Daniel Lenski's avatar Daniel Lenski Committed by David Woodhouse

command-line client should fill in any password field with value supplied via --passwd-on-stdin

I previously proposed adding form field hints to suggest which fields should
be populated with username/password values.  David Woodhouse was hesitant to
accept this and we settled on matching the form field names by the first
four characters ("user", "pass") as a temporary compromise:

There's at least one specific case where this interferes with the
usage of the command-line client: some GlobalProtect users need to
specify an "alternative secret field" instead of the default "passwd"
field (using `--usergroup :field_name`).

Because this field's name normally doesn't start with "pass", openconnect
won't accept it via `--passwd-on-stdin`:

    script_to_do_fancy_GlobalProtect_SAML_login |
      openconnect --protocol=gp -u user --passwd-on-stdin --usergroup portal:portal_cookie_field_name

As far as I can tell, there's not actually any good reason why openconnect
should *only* fill in a password-type field with the supplied password
if its name starts with "pass", so we should get rid of that check.
Signed-off-by: default avatarDaniel Lenski <>
parent d819339d
......@@ -1999,8 +1999,7 @@ static int process_auth_form_cb(void *_vpninfo,
empty = 0;
} else if (opt->type == OC_FORM_OPT_PASSWORD) {
if (password &&
!strncmp(opt->name, "pass", 4)) {
if (password) {
opt->_value = password;
password = NULL;
} else {
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment