csd-wrapper.sh

#!/bin/bash
# description: Cisco Anyconnect CSD wrapper for OpenConnect
# author: https://github.com/asarkar/
# gist: https://gist.github.com/asarkar/fb4452a4abdf9e4a9752a7d55d2cdc93
# connect: sudo openconnect --background \
# --user=<username> \
# --authgroup=1 \
# --csd-user=<localhost username> \
# --csd-wrapper=<script location on localhost> \
# --os=mac-intel \
# https://<server>[:port][/group]
# disconnect: sudo pkill openconnect
# OR if you don't have pkill
# sudo kill -SIGTERM $(ps aux | awk '/openconnect/ && !/awk/ {print $2}')

if [ -z ${SUDO_COMMAND+x} ]; then
  printf "Please define CSD_HOSTNAME"
  exit 1
fi

CMD=($SUDO_COMMAND)
URL=${CMD[@]: -1}
NUM_SLASH=$(echo "$URL" | awk -F/ '{print NF-1}')
if (( NUM_SLASH > 2 )); then # URL contains group
  CSD_HOSTNAME=$(dirname "$URL")
else
  CSD_HOSTNAME=$URL
fi

# parse command line
shift

URL=
TICKET=
STUB=
GROUP=
CERTHASH=
LANGSELEN=

while [ "$1" ]; do
    if [ "$1" == "-ticket" ];   then shift; TICKET=$1; fi
    if [ "$1" == "-stub" ];     then shift; STUB=$1; fi
    if [ "$1" == "-group" ];    then shift; GROUP=$1; fi
    if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi
    if [ "$1" == "-url" ];      then shift; URL=$1; fi
    if [ "$1" == "-langselen" ];then shift; LANGSELEN=$1; fi
    shift
done

case $(uname) in
  Darwin)
    ARCH="darwin_x64"
  ;;
  linux)
    ARCH=$(uname -m)
    if [[ "$ARCH" == "x86_64" ]]; then
      ARCH="linux_x64"
    else
      ARCH="linux_i386"
    fi
  ;;
esac

HOSTSCAN_DIR="$HOME/.cisco/hostscan"
LIB_DIR="$HOSTSCAN_DIR/lib"
BIN_DIR="$HOSTSCAN_DIR/bin"

# create dirs
for dir in $HOSTSCAN_DIR $LIB_DIR $BIN_DIR ; do
    if [[ ! -d $dir ]]; then
        printf "Creating dir: %s\n" "$dir"
        mkdir -p "$dir"
    fi
done

# download manifest
curl -kLsS "$CSD_HOSTNAME/CACHE/sdesktop/hostscan/$ARCH/manifest" -o "$HOSTSCAN_DIR/manifest"

case $(uname) in
  Darwin)
    SED="sed -E";
  ;;
  *)
    SED="sed -r";
  ;;
esac;

${SED} 's/\(|\)//g' "$HOSTSCAN_DIR/manifest" | cut -d " " -f 2,4 | \
while read -r line; do
  read -ra TOKENS <<< "$line"
  FOUND=$(find "$HOSTSCAN_DIR" -name "${TOKENS[0]}" -exec md5 -rq {} \; | grep "${TOKENS[1]}")
  if [[ -z "$FOUND" ]]; then
    DEST_DIR=
    if [[ "${TOKENS[0]}" = *.dylib ]]; then
      DEST_DIR="$LIB_DIR"
    else
      DEST_DIR="$BIN_DIR"
    fi
    FILE_URL="$CSD_HOSTNAME/CACHE/sdesktop/hostscan/$ARCH/${TOKENS[0]}"
    printf "Downloading %s to %s\n" "${TOKENS[0]}" "$DEST_DIR"
    if curl -o /dev/null -ks --head --fail "$FILE_URL"; then
      curl -kLsS "$FILE_URL" -o "$DEST_DIR/${TOKENS[0]}"
    else
      curl -o - -kLsS "$FILE_URL.gz" | gunzip > "$DEST_DIR/${TOKENS[0]}"
    fi
  else
    printf "%s already exists\n" "${TOKENS[0]}"
  fi
done

chmod -R u+x "$BIN_DIR"

ARGS="-log error -ticket $TICKET -stub $STUB -group $GROUP -host $URL -certhash $CERTHASH"

rm -rf "$HOSTSCAN_DIR/log"
printf "Launching: %s/cstub %s\n" "$BIN_DIR" "$ARGS"
"$BIN_DIR/cstub" $ARGS

@dlenski

@mcthomas wrote:

HIP script '/Users/Matt/csd-wrapper.sh' returned non-zero status: 127

This error message (HIP) suggests you're trying to use csd-wrapper.sh with a GlobalProtect VPN, which makes no sense. It's intended only to work with Cisco AnyConnect VPNs. See our upstream docs for the correct script to use with GP/HIP.

Thank you for your response. I had moved past this issue, and I should’ve left an update here. But you are correct, thank you.

When I launch the script I get a message:
"cstub" will damage your computer. You should move it to the trash

And it does not let you continue, there is no option in "privacy and security" to activate the script as safe and allow its execution.

MAC version: Ventura 13.2.1

Is there a possibility to mark the script as safe for its execution?

Thank you so much

Hi, I run openconnect to company aynconnect using the csd-wapper.sh script, but got some error:

POST https://vpn.corp.xxxxx.com/
Connected to  xxxx:443

Connected to HTTPS on xxxvpn.corp.xxx.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Trying to run CSD Trojan script '/Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh'.
execute CSD script /Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh failed
CSD script '/Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh' returned non-zero status: 1
Authentication may fail. If your script is not returning zero, fix it.
Future versions of openconnect will abort on this error.

Is that mean I didn't define CSD_HOSTNAME?

Thank you so much