-
-
Save asarkar/fb4452a4abdf9e4a9752a7d55d2cdc93 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
# description: Cisco Anyconnect CSD wrapper for OpenConnect | |
# author: https://github.com/asarkar/ | |
# gist: https://gist.github.com/asarkar/fb4452a4abdf9e4a9752a7d55d2cdc93 | |
# connect: sudo openconnect --background \ | |
# --user=<username> \ | |
# --authgroup=1 \ | |
# --csd-user=<localhost username> \ | |
# --csd-wrapper=<script location on localhost> \ | |
# --os=mac-intel \ | |
# https://<server>[:port][/group] | |
# disconnect: sudo pkill openconnect | |
# OR if you don't have pkill | |
# sudo kill -SIGTERM $(ps aux | awk '/openconnect/ && !/awk/ {print $2}') | |
if [ -z ${SUDO_COMMAND+x} ]; then | |
printf "Please define CSD_HOSTNAME" | |
exit 1 | |
fi | |
CMD=($SUDO_COMMAND) | |
URL=${CMD[@]: -1} | |
NUM_SLASH=$(echo "$URL" | awk -F/ '{print NF-1}') | |
if (( NUM_SLASH > 2 )); then # URL contains group | |
CSD_HOSTNAME=$(dirname "$URL") | |
else | |
CSD_HOSTNAME=$URL | |
fi | |
# parse command line | |
shift | |
URL= | |
TICKET= | |
STUB= | |
GROUP= | |
CERTHASH= | |
LANGSELEN= | |
while [ "$1" ]; do | |
if [ "$1" == "-ticket" ]; then shift; TICKET=$1; fi | |
if [ "$1" == "-stub" ]; then shift; STUB=$1; fi | |
if [ "$1" == "-group" ]; then shift; GROUP=$1; fi | |
if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi | |
if [ "$1" == "-url" ]; then shift; URL=$1; fi | |
if [ "$1" == "-langselen" ];then shift; LANGSELEN=$1; fi | |
shift | |
done | |
case $(uname) in | |
Darwin) | |
ARCH="darwin_x64" | |
;; | |
linux) | |
ARCH=$(uname -m) | |
if [[ "$ARCH" == "x86_64" ]]; then | |
ARCH="linux_x64" | |
else | |
ARCH="linux_i386" | |
fi | |
;; | |
esac | |
HOSTSCAN_DIR="$HOME/.cisco/hostscan" | |
LIB_DIR="$HOSTSCAN_DIR/lib" | |
BIN_DIR="$HOSTSCAN_DIR/bin" | |
# create dirs | |
for dir in $HOSTSCAN_DIR $LIB_DIR $BIN_DIR ; do | |
if [[ ! -d $dir ]]; then | |
printf "Creating dir: %s\n" "$dir" | |
mkdir -p "$dir" | |
fi | |
done | |
# download manifest | |
curl -kLsS "$CSD_HOSTNAME/CACHE/sdesktop/hostscan/$ARCH/manifest" -o "$HOSTSCAN_DIR/manifest" | |
case $(uname) in | |
Darwin) | |
SED="sed -E"; | |
;; | |
*) | |
SED="sed -r"; | |
;; | |
esac; | |
${SED} 's/\(|\)//g' "$HOSTSCAN_DIR/manifest" | cut -d " " -f 2,4 | \ | |
while read -r line; do | |
read -ra TOKENS <<< "$line" | |
FOUND=$(find "$HOSTSCAN_DIR" -name "${TOKENS[0]}" -exec md5 -rq {} \; | grep "${TOKENS[1]}") | |
if [[ -z "$FOUND" ]]; then | |
DEST_DIR= | |
if [[ "${TOKENS[0]}" = *.dylib ]]; then | |
DEST_DIR="$LIB_DIR" | |
else | |
DEST_DIR="$BIN_DIR" | |
fi | |
FILE_URL="$CSD_HOSTNAME/CACHE/sdesktop/hostscan/$ARCH/${TOKENS[0]}" | |
printf "Downloading %s to %s\n" "${TOKENS[0]}" "$DEST_DIR" | |
if curl -o /dev/null -ks --head --fail "$FILE_URL"; then | |
curl -kLsS "$FILE_URL" -o "$DEST_DIR/${TOKENS[0]}" | |
else | |
curl -o - -kLsS "$FILE_URL.gz" | gunzip > "$DEST_DIR/${TOKENS[0]}" | |
fi | |
else | |
printf "%s already exists\n" "${TOKENS[0]}" | |
fi | |
done | |
chmod -R u+x "$BIN_DIR" | |
ARGS="-log error -ticket $TICKET -stub $STUB -group $GROUP -host $URL -certhash $CERTHASH" | |
rm -rf "$HOSTSCAN_DIR/log" | |
printf "Launching: %s/cstub %s\n" "$BIN_DIR" "$ARGS" | |
"$BIN_DIR/cstub" $ARGS |
@mcthomas wrote:
HIP script '/Users/Matt/csd-wrapper.sh' returned non-zero status: 127
This error message (HIP) suggests you're trying to use csd-wrapper.sh
with a GlobalProtect VPN, which makes no sense. It's intended only to work with Cisco AnyConnect VPNs. See our upstream docs for the correct script to use with GP/HIP.
@mcthomas wrote:
HIP script '/Users/Matt/csd-wrapper.sh' returned non-zero status: 127
This error message (HIP) suggests you're trying to use
csd-wrapper.sh
with a GlobalProtect VPN, which makes no sense. It's intended only to work with Cisco AnyConnect VPNs. See our upstream docs for the correct script to use with GP/HIP.
Thank you for your response. I had moved past this issue, and I should’ve left an update here. But you are correct, thank you.
When I launch the script I get a message:
"cstub" will damage your computer. You should move it to the trash
And it does not let you continue, there is no option in "privacy and security" to activate the script as safe and allow its execution.
MAC version: Ventura 13.2.1
Is there a possibility to mark the script as safe for its execution?
Thank you so much
Hi, I run openconnect to company aynconnect using the csd-wapper.sh script, but got some error:
POST https://vpn.corp.xxxxx.com/
Connected to xxxx:443
Connected to HTTPS on xxxvpn.corp.xxx.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Trying to run CSD Trojan script '/Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh'.
execute CSD script /Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh failed
CSD script '/Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh' returned non-zero status: 1
Authentication may fail. If your script is not returning zero, fix it.
Future versions of openconnect will abort on this error.
Is that mean I didn't define CSD_HOSTNAME?
Thank you so much
Thanks for the quick response. I'll see what I can do.