From 846e697add81131329d61eb12e775a381b17ff29 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ja=CC=84nis=20Jansons?= <janis.jansons@pearlgroup.no>
Date: Fri, 18 Dec 2020 01:59:40 +0200
Subject: [PATCH] Pass TOTP code on STDIN to hide seed from process list.

---
 README.md  | 1 +
 run-vpn.sh | 6 +++---
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 5111c31..c547e66 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,7 @@ Additionaly routing for only specific subnets can be added in `routes.txt`
 git clone this repo
 brew install openconnect
 brew install vpn-slice
+brew install oath-toolkit
 ```
 
 Add server address, username, password and 2fa seed in keychain with these names:
diff --git a/run-vpn.sh b/run-vpn.sh
index 9e08bd6..a357a8f 100755
--- a/run-vpn.sh
+++ b/run-vpn.sh
@@ -44,13 +44,13 @@ while true; do
     SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
   fi
 
-  echo $PASSWORD | sudo openconnect \
+  TOTP=$(oathtool --totp=sha1 -b "$SEED")
+
+  echo -e "$PASSWORD\n$TOTP" | sudo openconnect \
     --csd-wrapper hostscan-bypass.sh \
     --passwd-on-stdin \
     --os=mac-intel \
     $SCRIPT_INCLUDE \
-    --token-mode=totp \
-    --token-secret=sha1:base32:$SEED \
     -u $USERNAME \
     $SERVER