Protocol error in nm-fortisslvpn-pinentry (preventing successful OTP entry)
The nm-fortisslvpn-pinentry utility might be the cause of OTP login errors. The utility sends the OTP in the following format to the pinentry listener: D 123456\nOK\n
(see https://github.com/GNOME/NetworkManager-fortisslvpn/blob/14301819fb0371c75038a95a5a98bcba062110e6/src/nm-fortisslvpn-pinentry.c#L125).
The openfortivpn client receives this line, replaces the last \n
with a string terminator, strips the preceding D
and uses the result as the OTP to send to the gateway, resulting in &code=123456%0AOK
beeing sent during login. This will be treated as an invalid OTP token and the login is rejected.
I couldn't find documentation on the pinentry protocol to tell if sending the OK
together with the pin is wrong or if the openfortivpn implementation should accept and strip the OK
when parsing the response. Removing the OK from the NetworkManager side would be an easy fix.