From 7e13b54cde944b15e2c48759b9e18e82d172b40f Mon Sep 17 00:00:00 2001 From: Benjamin Mako Hill Date: Tue, 9 Jun 2020 16:04:15 -0700 Subject: [PATCH 1/1] initial version of the CDSC version of scripts --- README-CDSC | 64 ++++++++++++++ README.md => README-GP-SAML.md | 0 hipreport-modified.sh | 150 +++++++++++++++++++++++++++++++++ openconnect_command-general.sh | 10 +++ openconnect_command-ssh.sh | 15 ++++ ssh-vpn-proxy | 28 ++++++ 6 files changed, 267 insertions(+) create mode 100644 README-CDSC rename README.md => README-GP-SAML.md (100%) create mode 100755 hipreport-modified.sh create mode 100755 openconnect_command-general.sh create mode 100755 openconnect_command-ssh.sh create mode 100755 ssh-vpn-proxy diff --git a/README-CDSC b/README-CDSC new file mode 100644 index 0000000..1bac37c --- /dev/null +++ b/README-CDSC @@ -0,0 +1,64 @@ +=========================== +== INSTALLATION =========== +=========================== + +1. + +Install prerequisites. This will include: + +sudo apt install python3-gi gir1.2-gtk-3.0 gir1.2-webkit2-4.0 + +2. + +Install this directory into: ~/bin/nu-vpn-proxy + +3. + +Change your System UUID. You can get this with command: + + sudo dmidecode|grep UUID + +You should see a line like: + + UUID: deadbeef-dead-beef-dead-beefdeadbeef + +Edit the file hipreport-modified.sh to change the variable HOSTID so that it is +equal to this number. Change the line that says +"deadbeef-dead-beef-dead-beefdeadbeaf" so that it lists your UUID. + +4. [optional] + +Change bmh1867 to your username and add the following stanza text to your +~/.ssh/config: + +Host kibo kibo.soc.northwestern.edu + Hostname kibo.soc.northwestern.edu + User bmh1867 + ProxyCommand ~/bin/nu-vpn-proxy/ssh-vpn-proxy %h %p + ForwardAgent yes + ServerAliveInterval 120 + +=========================== +== USAGE ================== +=========================== + +There are two ways to use this. + +1. *Only* for SSH connections to kibo. + +This should be just as simple as running: + + ssh-kibo + +You can run the command mulptiple time and it should work. When you close the +first connection though, it will disconnect all of your connections. + +2. Your entire connection. + +Run the following command: + + ~/bin/openconnect_command-general.sh + +While this command is running, you should be connected through the VPN. Run +Ctrl-C to disconnect. + diff --git a/README.md b/README-GP-SAML.md similarity index 100% rename from README.md rename to README-GP-SAML.md diff --git a/hipreport-modified.sh b/hipreport-modified.sh new file mode 100755 index 0000000..5f280de --- /dev/null +++ b/hipreport-modified.sh @@ -0,0 +1,150 @@ +#!/bin/sh + +# openconnect will call this script with the follow command-line +# arguments, which are needed to populate the contents of the +# HIP report: +# +# --cookie: a URL-encoded string, as output by openconnect +# --authenticate --protocol=gp, which includes parameters +# from the /ssl-vpn/login.esp response +# +# --client-ip{,v6}: IPv4/6 addresses allocated by the GlobalProtect +# VPN for this client (included in +# /ssl-vpn/getconfig.esp response) +# +# --md5: The md5 digest to encode into this HIP report. I'm not sure +# exactly what this is the md5 digest *of*, but all that +# really matters is that the value in the HIP report +# submission should match the value in the HIP report check. +# +# This hipreport.sh does not work as-is on Android. The large here-doc +# (cat <&2 + exit 1; +fi + +# Extract username and domain and computer from cookie +USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p') +DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p') +COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p') + +# Timestamp in the format expected by GlobalProtect server +NOW=$(date +'%m/%d/%Y %H:%M:%S') +DAY=$(date +'%d') +MONTH=$(date +'%m') +YEAR=$(date +'%Y') + +# This value may need to be extracted from the official HIP report, if a made-up value is not accepted. +HOSTID="deadbeef-dead-beef-dead-beefdeadbeef" + +cat < + + $MD5 + $USER + $USER + $COMPUTER + $HOSTID + $IP + $IPV6 + $NOW + + + 5.1.0-101 + Linux 4.19.0-6-amd64 + Linux + domain.com + spes + d6f838cc-2b6f-11b2-a85c-d7bcda6b231e + + + pan1 + 42:4e:62:fe:ef:87 + + + + + + + + + + + + + $MD5 + $USER + $USER + $COMPUTER + $HOSTID + $IP + $IPV6 + $NOW + 4 + + + 5.1.0-101 + Linux 4.19.0-6-amd64 + Linux + domain.com + spes + d6f838cc-2b6f-11b2-a85c-d7bcda6b231e + + + pan1 + 42:4e:62:fe:ef:87 + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +EOF diff --git a/openconnect_command-general.sh b/openconnect_command-general.sh new file mode 100755 index 0000000..11d7dab --- /dev/null +++ b/openconnect_command-general.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +# change to the vpn file directory +cd ~/bin/nu-vpn-proxy + +## do the authentication +eval $( ./gp-saml-gui.py -v --clientos=Linux vpn-connect2.northwestern.edu ) + +echo "$COOKIE" | sudo openconnect --useragent="PAN GlobalConnect" --version-string='5.1.0-101' --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST" --csd-wrapper="hipreport-modified.sh" --reconnect-timeout 60 + diff --git a/openconnect_command-ssh.sh b/openconnect_command-ssh.sh new file mode 100755 index 0000000..09f2181 --- /dev/null +++ b/openconnect_command-ssh.sh @@ -0,0 +1,15 @@ +#!/bin/bash + +LOG_FILE=/tmp/nu-globalprotect-saml.log +PID_FILE=/tmp/nu-vpn-openconnect.pid + +exec > $LOG_FILE + +# change to the vpn file directory +cd ~/bin/nu-vpn-proxy + +## do the authentication +eval $( ./gp-saml-gui.py -v --clientos=Linux vpn-connect2.northwestern.edu ) + +echo "$COOKIE" | openconnect --useragent="PAN GlobalConnect" --version-string='5.1.0-101' --protocol=gp -u "$USER" --os="$OS" --passwd-on-stdin "$HOST" --csd-wrapper="hipreport-modified.sh" --reconnect-timeout 60 --script-tun --script "ocproxy -D 9052" -b --pid-file "${PID_FILE}" + diff --git a/ssh-vpn-proxy b/ssh-vpn-proxy new file mode 100755 index 0000000..3548b40 --- /dev/null +++ b/ssh-vpn-proxy @@ -0,0 +1,28 @@ +#!/bin/bash + +SEARCH_PATTERN="ESP tunnel connected; exiting HTTPS mainloop." + +# connects to SSH through openconnect and VPN +# for use with ProxyCommand in SSH + + +# first run openconnect +/sbin/start-stop-daemon --pidfile /tmp/nu-vpn-openconnect.pid -S --startas "$HOME/bin/nu-vpn-proxy/openconnect_command-ssh.sh" & +sleep 2 + +# kill connection on exit +function cleanup { + /sbin/start-stop-daemon --stop --pidfile /tmp/nu-vpn-openconnect.pid +} +trap cleanup EXIT + +tail -f /tmp/nu-globalprotect-saml.log | grep -qe "${SEARCH_PATTERN}" + +if [ $? == 1 ]; then + echo "Search terminated without finding the pattern" + exit +fi + +# redirect traffic (standard input and output) through VPN +/bin/nc.openbsd -X 5 -x 127.0.0.1:9052 $1 $2 + -- 2.39.5