-
-
Save asarkar/fb4452a4abdf9e4a9752a7d55d2cdc93 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
# description: Cisco Anyconnect CSD wrapper for OpenConnect | |
# author: https://github.com/asarkar/ | |
# gist: https://gist.github.com/asarkar/fb4452a4abdf9e4a9752a7d55d2cdc93 | |
# connect: sudo openconnect --background \ | |
# --user=<username> \ | |
# --authgroup=1 \ | |
# --csd-user=<localhost username> \ | |
# --csd-wrapper=<script location on localhost> \ | |
# --os=mac-intel \ | |
# https://<server>[:port][/group] | |
# disconnect: sudo pkill openconnect | |
# OR if you don't have pkill | |
# sudo kill -SIGTERM $(ps aux | awk '/openconnect/ && !/awk/ {print $2}') | |
if [ -z ${SUDO_COMMAND+x} ]; then | |
printf "Please define CSD_HOSTNAME" | |
exit 1 | |
fi | |
CMD=($SUDO_COMMAND) | |
URL=${CMD[@]: -1} | |
NUM_SLASH=$(echo "$URL" | awk -F/ '{print NF-1}') | |
if (( NUM_SLASH > 2 )); then # URL contains group | |
CSD_HOSTNAME=$(dirname "$URL") | |
else | |
CSD_HOSTNAME=$URL | |
fi | |
# parse command line | |
shift | |
URL= | |
TICKET= | |
STUB= | |
GROUP= | |
CERTHASH= | |
LANGSELEN= | |
while [ "$1" ]; do | |
if [ "$1" == "-ticket" ]; then shift; TICKET=$1; fi | |
if [ "$1" == "-stub" ]; then shift; STUB=$1; fi | |
if [ "$1" == "-group" ]; then shift; GROUP=$1; fi | |
if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi | |
if [ "$1" == "-url" ]; then shift; URL=$1; fi | |
if [ "$1" == "-langselen" ];then shift; LANGSELEN=$1; fi | |
shift | |
done | |
case $(uname) in | |
Darwin) | |
ARCH="darwin_x64" | |
;; | |
linux) | |
ARCH=$(uname -m) | |
if [[ "$ARCH" == "x86_64" ]]; then | |
ARCH="linux_x64" | |
else | |
ARCH="linux_i386" | |
fi | |
;; | |
esac | |
HOSTSCAN_DIR="$HOME/.cisco/hostscan" | |
LIB_DIR="$HOSTSCAN_DIR/lib" | |
BIN_DIR="$HOSTSCAN_DIR/bin" | |
# create dirs | |
for dir in $HOSTSCAN_DIR $LIB_DIR $BIN_DIR ; do | |
if [[ ! -d $dir ]]; then | |
printf "Creating dir: %s\n" "$dir" | |
mkdir -p "$dir" | |
fi | |
done | |
# download manifest | |
curl -kLsS "$CSD_HOSTNAME/CACHE/sdesktop/hostscan/$ARCH/manifest" -o "$HOSTSCAN_DIR/manifest" | |
case $(uname) in | |
Darwin) | |
SED="sed -E"; | |
;; | |
*) | |
SED="sed -r"; | |
;; | |
esac; | |
${SED} 's/\(|\)//g' "$HOSTSCAN_DIR/manifest" | cut -d " " -f 2,4 | \ | |
while read -r line; do | |
read -ra TOKENS <<< "$line" | |
FOUND=$(find "$HOSTSCAN_DIR" -name "${TOKENS[0]}" -exec md5 -rq {} \; | grep "${TOKENS[1]}") | |
if [[ -z "$FOUND" ]]; then | |
DEST_DIR= | |
if [[ "${TOKENS[0]}" = *.dylib ]]; then | |
DEST_DIR="$LIB_DIR" | |
else | |
DEST_DIR="$BIN_DIR" | |
fi | |
FILE_URL="$CSD_HOSTNAME/CACHE/sdesktop/hostscan/$ARCH/${TOKENS[0]}" | |
printf "Downloading %s to %s\n" "${TOKENS[0]}" "$DEST_DIR" | |
if curl -o /dev/null -ks --head --fail "$FILE_URL"; then | |
curl -kLsS "$FILE_URL" -o "$DEST_DIR/${TOKENS[0]}" | |
else | |
curl -o - -kLsS "$FILE_URL.gz" | gunzip > "$DEST_DIR/${TOKENS[0]}" | |
fi | |
else | |
printf "%s already exists\n" "${TOKENS[0]}" | |
fi | |
done | |
chmod -R u+x "$BIN_DIR" | |
ARGS="-log error -ticket $TICKET -stub $STUB -group $GROUP -host $URL -certhash $CERTHASH" | |
rm -rf "$HOSTSCAN_DIR/log" | |
printf "Launching: %s/cstub %s\n" "$BIN_DIR" "$ARGS" | |
"$BIN_DIR/cstub" $ARGS |
Hey @mcthomas
It seems like this line https://gist.github.com/asarkar/fb4452a4abdf9e4a9752a7d55d2cdc93#file-csd-wrapper-sh-L77 failed. You may want to enable verbose logging for curl
and see what's going on.
I no longer use this script since IT has now enabled automatic session reconnect for the desktop installer, which is the gap this script used to fill.
Thanks for the quick response. I'll see what I can do.
@mcthomas wrote:
HIP script '/Users/Matt/csd-wrapper.sh' returned non-zero status: 127
This error message (HIP) suggests you're trying to use csd-wrapper.sh
with a GlobalProtect VPN, which makes no sense. It's intended only to work with Cisco AnyConnect VPNs. See our upstream docs for the correct script to use with GP/HIP.
@mcthomas wrote:
HIP script '/Users/Matt/csd-wrapper.sh' returned non-zero status: 127
This error message (HIP) suggests you're trying to use
csd-wrapper.sh
with a GlobalProtect VPN, which makes no sense. It's intended only to work with Cisco AnyConnect VPNs. See our upstream docs for the correct script to use with GP/HIP.
Thank you for your response. I had moved past this issue, and I should’ve left an update here. But you are correct, thank you.
When I launch the script I get a message:
"cstub" will damage your computer. You should move it to the trash
And it does not let you continue, there is no option in "privacy and security" to activate the script as safe and allow its execution.
MAC version: Ventura 13.2.1
Is there a possibility to mark the script as safe for its execution?
Thank you so much
Hi, I run openconnect to company aynconnect using the csd-wapper.sh script, but got some error:
POST https://vpn.corp.xxxxx.com/
Connected to xxxx:443
Connected to HTTPS on xxxvpn.corp.xxx.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Trying to run CSD Trojan script '/Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh'.
execute CSD script /Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh failed
CSD script '/Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh' returned non-zero status: 1
Authentication may fail. If your script is not returning zero, fix it.
Future versions of openconnect will abort on this error.
Is that mean I didn't define CSD_HOSTNAME?
Thank you so much
Hi there, I was hoping to find a script like this to satisfy my configuration, but I received this error after attempting to connect:
curl: (3) URL using bad/illegal format or missing URL sed: /Users/Matt/.cisco/hostscan/manifest: No such file or directory /Users/Matt/csd-wrapper.sh: line 117: /Users/Matt/.cisco/hostscan/bin/cstub: No such file or directory HIP script '/Users/Matt/csd-wrapper.sh' returned non-zero status: 127 Creating SSL connection failed
Do you have any ideas? I already gave the script execution rights.