profile
viewpoint
Andris Raugulis arthepsy Evolution Gaming Rīga, Latvia https://arthepsy.eu :smiling_imp: InfoSec and BSD

arthepsy/pan-globalprotect-okta 35

PaloAlto Networks GlobalProtect VPN (integrated with OKTA) command-line client

arthepsy/chrome-disable-websockets 28

Chrome extension to disable WebSockets

arthepsy/deobf 13

Deobfuscate passwords (Jetty, WebStorm, etc)

arthepsy/emergedesktop 10

Emerge Desktop - replacement shell for Windows

arthepsy/kb 9

Various KB

arthepsy/lockrun 4

ensure only single instance of program is run at a time

arthepsy/bs2-evt-filter 1

Suprema BioStar 2 event filter

arthepsy/cve-tests 1

CVE advisories tests

arthepsy/connid-common 0

Common utils library for ConnId connectors

issue commentarthepsy/pan-globalprotect-okta

Login error message after disconnect

@gunslingerfry any luck hunting this down?

gunslingerfry

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

@cardonator sorry, had a wisdom teeth removal, was a bit off. my nick is moo#2174.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Weird. Oh apparently the whole left side is lowercase... maybe that will work?

Worked. Pending friend request.

arthepsy

comment created time in a month

created tagarthepsy/linux-portable-bin

tag2020-05-28

Portable (static / old glibc linked) Linux binaries for red-team / blue-team

created time in a month

delete tag arthepsy/linux-portable-bin

delete tag : 2020-05-28

delete time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 11d36f0632368c09c7db02119766e8992003bb67

Fix multiple option building in CI.

view details

push time in a month

created tagarthepsy/linux-portable-bin

tag2020-05-28

Portable (static / old glibc linked) Linux binaries for red-team / blue-team

created time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 310b522fce536055419814389207f5661c2b96c7

Fixes breaking while loop after reading first line.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 6edf8f64249e07e860d6bfc2715e6f1327bc906a

Output arch while building.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha ffa3363203c145295ca57291fc55bc0c525629e6

Debug Travis.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 004e6b999f51cb5089abbd1d6c5d000b9b90b208

Failure should return exit code 1 (not in subshell).

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 34e4f310ef91aaedb03132a3d3969bb96510e03c

Ignore empty options.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 5b77a1e2cdb1ec78dd96910816dbb7c9f6017c43

Build and deploy most versions.

view details

push time in a month

issue commentarthepsy/pan-globalprotect-okta

Login error message after disconnect

Can You write command-line with execute=0, so I can understand the situation better, .e.g, what cookie is passed, auth is to gateway or portal, etc.

gunslingerfry

comment created time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha c533f18ef8d9ecba849554cb472cc1babb57dc0b

Verion can be empty (meaning - latest).

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 46a7c8b230452aa07ae2021302b8c1885351be8b

Convert TravisCI to job matrix.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 15fdeb91c33bafd6d28625338862517a8dc8e781

Fix "./run.sh: 28: shift: can't shift that many"

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha fe3d1c85dd7c94729ad773067d057704638877a4

Ensure writing to build.log.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha deb8a6ece922292e45c104cd6a958a7aa6382f92

Fix TravisCI errors (too long log file, keep empty directories). Stop build on first error.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha acfae3ee3e2509c3cc02ee8b91ce640dbda96d11

Build and deploy all tools.

view details

push time in a month

delete tag arthepsy/linux-portable-bin

delete tag : 2020-03-21

delete time in a month

release arthepsy/linux-portable-bin

2020-03-21

released time in a month

created tagarthepsy/linux-portable-bin

tag2020-03-21

Portable (static / old glibc linked) Linux binaries for red-team / blue-team

created time in a month

delete branch arthepsy/linux-portable-bin

delete branch : 2020-03-20

delete time in a month

create barncharthepsy/linux-portable-bin

branch : 2020-03-20

created branch time in a month

delete tag arthepsy/linux-portable-bin

delete tag : v1.0-pre

delete time in a month

release arthepsy/linux-portable-bin

v1.0-pre

released time in a month

created tagarthepsy/linux-portable-bin

tagv1.0-pre

Portable (static / old glibc linked) Linux binaries for red-team / blue-team

created time in a month

release arthepsy/linux-portable-bin

v1.0-pre

released time in a month

delete tag arthepsy/linux-portable-bin

delete tag : v1.0-pre

delete time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha d32ee0b85e07ed8000928ac40adfab450d1a5947

Test tagged releases.

view details

push time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Sir_Brizz#5340

Hm, didn't work. Double check that capitalization, spelling, any spaces, and numbers are correct.

arthepsy

comment created time in a month

issue openedarthepsy/linux-portable-bin

use smaller image for shared binary building

dockcross is pretty big (size-wise) compared to musl.cc, so a good alternative (cross compiling with glibc) would be great.

created time in a month

issue commentarthepsy/pan-globalprotect-okta

Login error message after disconnect

Is this with execute=1? Can You try specifying execute=0 and check that command-line manually? Because, command-line You provided, doesn't come from pan-globalprotect-okta, as it supports passing cookies, not passwords.

Othewise, by description, it seems like after You ^C (disconnect), openconnect for some reason asks something and gets passed cookie second time as username. In this case, setting openconnect_fmt=<cookie> would help. Care to check that out, also?

gunslingerfry

comment created time in a month

created tagarthepsy/linux-portable-bin

tagv1.0-pre

Portable (static / old glibc linked) Linux binaries for red-team / blue-team

created time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha d9f295dc9311b966d2442deadc30f946d097c3aa

Build and release masscan with TravisCI.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha e24cc2204d4fb9f00dff38788629a61623051605

Build masscan artifacts with TravisCI and publish shem.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha ccd6387c8518f2ee3c329271eda93d15be982c8c

Test TravisCI.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 3ae1803a6245c06e49200dfbee3d464a7af43f82

Test TravisCI.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 2697b95e5359c4678d64565ad1bc7dffe88f50a8

Test TravisCI.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha f669e6a2ff836ce9f0814afc6dfca2e67a2adb13

Test TravisCI.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 0690b0f78502bed10b73ded3b037c87abfc2c97b

Test TravisCI

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha c6b125f11d6cf6e7c5f0eb2a252a74c5bf170050

Test TravisCI.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 6dda8bf1b95faee85f2c26dbdf6665b81cbbadb9

Test TravisCI.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha ce90593835f44f3cc51fe2d98478222a1e7d939a

Test TravisCI.

view details

push time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha 789a93cbabcc8fca74841a98bcb315f439d7dde6

Test out TravisCI.

view details

push time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

That's exactly what happened. Unfortunately, my primary gateway name is also the URL for the portal so I don't know how that ends up confusing things. Adding the portal URL to the gateway_url config fixed it, but it is pretty confusing how I can't do the portal->gateway dance that the regular GP client does.

I feel like this is a config issue. Or very interesting edge case :) Would like to figure it out, either way. Is there some IM (irc, discord, etc) I could catch You to work this out?

At any rate, I'm now ready to give my sign off on this release! 👍

Thanks :)

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

You're right, @arthepsy I was being dumb 👍 I did need to define the gateway_url, was missing that in the new config because I was used to how it was originally implemented. Once I added that in, it worked just fine.

Actually, somebody broke how everything should work (for everybody authenticating to portal), i.e., gateway was name for gateway (or authgroup in openconnect), not it's URL, but it got changed in forks and guys got used to it... probably, You, too. So it completely broke one of three method how to connect to VPN. I briefly explained all three methods in https://github.com/arthepsy/pan-globalprotect-okta/issues/21#issuecomment-634217277 ... and as it's actually URL, I had to rename gateway_url.

arthepsy

comment created time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha f88beb9d076c3371dc4697cea0ec3b7a85d169d5

Provide other MFA in config. Fixes #22.

view details

push time in a month

issue closedarthepsy/pan-globalprotect-okta

Include the other mfa methods in the configuration sample

The configuration file has #mfa_order = totp sms

It's pretty clear what that does but unless you look at the code you don't know that there are other methods available, specifically 'push' and 'webauthn'

closed time in a month

gunslingerfry

issue commentarthepsy/pan-globalprotect-okta

Include the other mfa methods in the configuration sample

Yes I forgot. Awesome addition, thanks!

gunslingerfry

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Sorry to conflate two issues. No worries on the vpnc script/openconnect thing, just doing raw openconnect commands with no vpnc script will cause that error so it's definitely not anything you are doing.

The invalid user name and logout failed message is returned only when using the gp-okta script though. Raw openconnect commands work fine.

What do You mean by "raw openconnect commands"? Could You elaborate (go ahead and open another issue)? Maybe, just maybe, it's because You're using openconnect before 8.05 and providing cookie twice somehow affects vpnc script (it doesn't affect for me, though). If that's the case, fast workaround would be to use openconnect_fmt = <cookie>. But I would like to resolve this issue, if that's really an issue.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

You're right, @arthepsy I was being dumb 👍 I did need to define the gateway_url, was missing that in the new config because I was used to how it was originally implemented. Once I added that in, it worked just fine.

What I find weird in my config is that I can't auth with the portal and then connect to a gateway even though that's how the first party app works. But I guess I shouldn't look a gift horse in the mouth 😄

Yes, you can. It's how it's working in default config mode. It's how it's working for me. Just provide vpn_url as portal URL. You probably have defined gateway as vpn_url and that is the issue.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

@cardonator there are types 3 connections:

  1. if You have default config, script connects to vpn_url (portal) ... chooses gateway (name) and provides portal:userauthcookie to vpn_url (portal).
  2. if You have default config with gateway_url (gateway), script connects to gateway_url and provides gateway:prelogin-cookie
  3. if You have default config with another_dance=1, script connects vpn_url (portal), then to gateway and at the end provides gateway:prelogin-cookie

Please, check Your config file for correct URL and setting usage.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Sorry to keep posting in here in real-time.......

I think the last paragraph of my previous message is on to something. Here are the two connect commands generated by the different versions:

coldcoff:

printf '<prelogin-cookie>\n<gatewayname>' | sudo openconnect --protocol=gp -u 'corp\myusername' --usergroup gateway:prelogin-cookie --passwd-on-stdin --csd-wrapper=hipreport.sh 'https://<gatewayurl>'

master:

printf '<portal-userauthcookie>\n<portal-userauthcookie>' | sudo openconnect --protocol=gp -u 'corp\myusername' --authgroup='<gatewayname>' --usergroup portal:portal-userauthcookie --cafile='/tmp/gpvpn_n812df_j' --passwd-on-stdin --csd-wrapper=hipreport.sh 'https://<gatewayurl>/'; rm -f '/tmp/gpvpn_n812df_j'

The top command connects fine, the bottom one fails with the message above every time.

Yes, as You see, it's providing portal-userauthcookie, which is meant for PORTAL, but You're connecting to GATEWAY. Reason is, seems that You have configured gateway as portal URL as I described before. If You want to connect directly to gateway, then You must use gateway_url. Please check config file in master, it's documented.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

@cardonator where is this error from? Seems packed from multiple sources. Doesn't look like either Python script or openconnect output. Could You reformat it a bit? What's the command-line and printf pipe contents?

This is literally every message that is printed out after finishing the Okta handshake. I can set execute to 0 to see what command it constructed. It might be helpful to note that I was also always getting this error on this repo without coldcoff changes prior to merge, so this is the same behavior I had over a week ago.

Interesting. I see something completely off:

[INFO] prelogin-cookie: <prelogin cookie>

POST https://gatewayurl/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Linux
Connected to <gatewayIP>

prelogin-cookie is provided to gateway, but You're connecting to gateway as it was portal, because it's using /global-protect/.

To clarify, this exact config works on coldcoff-master but not on actual master.

I am vaguely remembering something, though. I did have an issue at one point where the settings were making the cookie get passed as portal:portal-userauthcookie but my portal wanted gateway:prelogin-cookie instead. That went away on the coldcoff branch at some point, though. (I just tried forcing it both ways and it had no effect)

Yes, seem that You haven't updated Your config. Please, check current .conf file. Also, I see that You're using vpn_url = https://gatewayurl/, which is wrong. vpn_url should always point to portal. This probably is the cause for errors.

If You want to directly connect to gateway, provide gateway_url in config with it's URL.

arthepsy

comment created time in a month

PublicEvent

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Ok, I'm wrong, it's not the vpnc script, I think openconnect is doing this. I'll check in at the openconnect repo to see if that's been reported. I am getting this after shutting down though. Logout successful is what I'm used to seeing.

Invalid user name
Logout failed.

I would suggest creating simple vpnc scripts and figuring it out. Example:

#!/bin/sh
env
arthepsy

comment created time in a month

push eventarthepsy/linux-portable-bin

Andris Raugulis

commit sha fd1fae8f7426fa5ee8f4d6d98df9036996afb146

Add description, usage and supported software.

view details

push time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

@gunslingerfry awesome! I was thinking it should be pretty much perfect now. Regarding vpnc script, that's a thing You should figure out, if interested. Don't recall such issues.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

@cardonator where is this error from? Seems packed from multiple sources. Doesn't look like either Python script or openconnect output. Could You reformat it a bit? What's the command-line and printf pipe contents?

Your description seems that it's somehow providing wrong cookie to portal or gateway (don't know Your config) for some reason. Can't think of reason, though. What's your config, i.e., are You connecting to portal, gateway, doing another dance, etc? Is another_dance or gateway_url configured?

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Just wanted to let you know that the latest version doesn't work with my portal at all now :)

Oh, come on :) What's the issue?

arthepsy

comment created time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha b637ea902832e4d6d3b6f610456188207a832081

Debug option should not be exposed by default in config.

view details

push time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha 71e7944cc32ecfdd1bf791bab4650faff5bce0bb

Refactor config file reading (also with GnuGP).

view details

push time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha bea8cc88253db30e46a0177f8408c8fbb5beea6c

Fix some pylint reported issues.

view details

push time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha da0638fd1226d737097525280ca0739988152abc

Add short arguments. Reorder imports. Shorten main().

view details

push time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Ship it :-) If I advertise here locally, you will soon get ~ 20-30 users. I'll need to write up some "How-to-Update" document for them (for the gp-okta.conf)

Yay, would be great. Also, not keeping different forks. I'll test one feature (gpg) in Your pull request and then ship it.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

@coldcoff check my comments before. You need other _cert defined and it will work.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Wait, do You expect vpn_url_cert to be verified, when You use gateway_url? It won't. It's written in configuration description. vpn_url_cert is verified only for vpn_url. If You want to verify gateway_url, then create any *_cert, e.g., my_super_gateway_cert=... and it will be verified.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

I corrupted my vpn_url_cert (copied okta_url_cert over it) to force a failure.

Bad: The connection is still established. The get_verify just returns True for the prelogin request.

Please consider the following patch:

diff --git a/gp-okta.py b/gp-okta.py
index 4eb2467..a107fa1 100755
--- a/gp-okta.py
+++ b/gp-okta.py
@@ -260,8 +260,11 @@ class Conf(object):
                        return self._store['okta_url_cert']
                if name == 'portal' and 'vpn_url_cert' in self._store:
                        return self._store['vpn_url_cert']
-               if name == 'gateway' and self._ocerts:
-                       return self.certs
+               if name == 'gateway':
+                       if self._ocerts:
+                               return self.certs
+                       elif 'vpn_url_cert' in self._store:
+                               return self._store['vpn_url_cert']
                return default_verify
 
        def get_line(self, name):

otherwise a malicious gateway can inject arbitrary self._ocerts via a faked getconfig response.

Now it fails, as expected:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host='vpn-someplace.company.com', port=443): Max retries exceeded with url: /ssl-vpn/prelogin.esp (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

I don't understand Your description in context with patch. If You changed vpn_url_cert, then it is verified in line before:

                if name == 'portal' and 'vpn_url_cert' in self._store:
                        return self._store['vpn_url_cert']
arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

I was able to test 1) direct gateway config 2) simple portal config 3) second auth dance 4) cert verification. I am not able to test client certificates.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Note: I am still able to connect after all of your recent changes yesterday and today, using the current HEAD.

Does it work with certificate authentication and verification? If so, then all seems great and pretty much ready for release.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

xxx_cli_cert -> could we probably rename that to xxx_client_cert ?

At least I always understand "cli" as "commandline", not "client" in my abbreviation 1st level cache.

Heh, good note. Now when You mention it, I also have seen "cli' as "command-line", but in server/client context, usually I see "srv" and "cli. Anyway, I wanted to make config name in same lines as in _url_, i.e., 3-letter. Anyhow, it's documented in .conf, so it wouldn't make any confusion.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

gateway = vpn-someplace.company.com
gateway_url = https://vpn-someplace.company.com

I understand that for you thi rule does not apply, but could you probably add a shortcut that gateway_url can be automatically constructed from gateway if unset?

That would not make sense. How would that work? For example, my gateway is named "FRANKFURT". What domain should I add? For others, also, that is only a name, not URL and in most cases, not even related to URL.

gateway is Gateway name (see openconnect --authgroup option). gateway_url is URL to direct connect to gateway.

By the way, in Your case, when You use gateway_url, You don't need gateway. That is the reason it worked for You before (where pull request wrongly reworked gateway only for that case).

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

File is not deleted, because it is passed as command-line option (-cafile) to openconnect. How otherwise openconnect would use it, if it was deleted?

In the previous code the temp file existed as long as the python object holding/referencing it existed (which is basically the runtime of gp-okta.py.) (see: https://docs.python.org/2/library/tempfile.html) So it elegantly was also still there when python is calling the subcommand to start openconnect, because at that time the python script and the temp file object are still "alive". You are right, this won't work in the execute = 0 case, this was an oversight. I did not realize, because I have a concrete file name (~/etc/openconnect/openconnect.certs) in my gp-okta.conf.

I reworked it to delete it automatically if execute=1, otherwise file is not deleted and rm -f command is outputted.

@coldcoff... I've made another several rounds of improvements. Would be nice if You could check it out and give feedback. Trying to release 1.00 ;)

Will do.

Would be awesome!

arthepsy

comment created time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha 1074961df931e94d55dbcc13f098fe3c88d1a6a5

Update readme.

view details

push time in a month

issue closedarthepsy/pan-globalprotect-okta

Script fails with err: did not find saml request

With everything configured correctly, the script fails with

# prelogin.response:
status code: 200, text:
<?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>Enter login credentials</authentication-message>
<panos-version>1</panos-version><region>US</region>
</prelogin-response>
---
err: did not find saml request

closed time in a month

pcbmaster

issue commentarthepsy/pan-globalprotect-okta

Script fails with err: did not find saml request

This means that portal/gateway doesn't support SAML authentication. Either that or You didn't provide correct URL.

pcbmaster

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

@coldcoff @gunslingerfry @cardonator I've made another several rounds of improvements. Would be nice if You could check it out and give feedback. Trying to release 1.00 ;)

arthepsy

comment created time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha 31f986718d4fa9f4e7f3336389d3eedd480d7daa

Upgrade Dockerfile (anybody using it?).

view details

push time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha 18b0ea085fc63bd62331b5127f897e9d56cb5965

Some pylint fixes.

view details

push time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha d801a6e91e2cc823e137de2d08548e96e3d4aee8

Refactor portal/gateway authentication to be more clear for code reader. While there, fix some issues, regarding choosing either portal or gateway.

view details

push time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha 246ea3a8d31d487f9adad7db97891a2bdd28affa

Pass gateway in command-line, not in stdin.

view details

push time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha f91eb3843a82851512093e07db823cfd6138ebf9

Fix temporary certificate file removal, mentioned in #21.

view details

push time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha f0a3c8ec2c9302df833bafef53d1ab946b36582f

Rework certificate verification.

view details

push time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

@gunslingerfry seems interesting. Would like to reproduce such error. Can You share what is the shell, where You execute that script? Never seen such issue.

Anyhow, I will remove that part (today), after I finish reworking certificates part (doing that now), so You'll probably be able to run the script either way.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Looks like you've got 'command' instead of the actual command at line 955.

  File "./gp-okta.py", line 992, in <module>
    sys.exit(main())
  File "./gp-okta.py", line 955, in main
    p  = subprocess.Popen(['command', '-v', openconnect_bin], stdin=subprocess.PIPE, stdout=fnull, stderr=subprocess.STDOUT)
  File "/usr/lib/python3.8/subprocess.py", line 854, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/usr/lib/python3.8/subprocess.py", line 1702, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'command'```

Wow. You don't have command utility? Which OS You're using? Can You test that in the shell: command -v openconnect

arthepsy

comment created time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha b53657b767ce2465b0ec1946bdf81e74b1ba43a1

Do not use client certificate, if not specified.

view details

push time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

@coldcoff do You know what certificates are returned in "getconfig" request, where responding SAML could contain //root-ca/cert? I'm assuming it's only for gateways, but want to make sure.

arthepsy

comment created time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha 15d03e2ca29bcc4cef3a8f0521fb1adc27fc1439

Fix usage of client certificates, as noted in #21.

view details

push time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

  1. add a new option gateway_url = zzz basically duplicating my old, existing gateway = zzz option, so now I have
    gateway = vpn-someplace.company.com
    gateway_url = https://vpn-someplace.company.com

I don't even get this worked for You before. I commented my issues in pull request. Gateway is named and can be passed (I will rework it to be in such way) either in command-line as authgroup or in execution. But never as URL.

How did You execute it before and how did it work? If it connected directly to gateway (_url), fine, but then, when it passed in pipe, e.g., printf cookie|gateway_url ... that shouldn't have worked. Baffles me.

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

One more, sorry ...

That here: image

is not working for me. for some reason it is no separate command? My openconnect complains that it does not know anything about a "-f"

Good point. Didn't test this part. Will check and issue fix.

image

Commenting out the two lines makes openconnect start & connect! Can you please rework the deletion?

It seems to be needed now as the file is not automagically deleted anymore: image and was introduced in commit 9eea095

File is not deleted, because it is passed as command-line option (-cafile) to openconnect. How otherwise openconnect would use it, if it was deleted? Maybe if it's piping (printf ... | ./openconnect), then while pipe is open, all would be good. But if somebody wants to not use execute flag, and executes manually? File is gone. Therefore it mustn't be deleted. Don't You agree?

Unfortunately our VPN doesn't have client certificates and I can only go by pull request comments and sane ideas, but not able to test. Do You have client certificate VPN You can test with?

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Thanks for merging my changes and improving it even further! Wonderful that we are now reducing the variety of forks!

I am just trying to use your new, consolidated version and to abandon my own.

Yes, I want to merge everything, improve it, get You guys test it, and release 1.00, so it can be referenced.

I saw that in commit 9eea095 you reworked the certificate parts.

Now we have a vpn_cli_cert and a okta_cli_cert.

From reading the code I see that you use the okta_cli_cert in all of the python parts and vpn_cli_cert (only) for the final openconnect call.

This is confusing.

I was going with comment from https://github.com/aclindsa/pan-globalprotect-okta/pull/1#issuecomment-499841729 ... and trying to make it future-proof.

So, basically, we have a client certificate for connecting to OKTA (python requests). And other client certificate to which authenticate portal/gateway with (which is passed in command-line to openconnect). They are two different certificates, right?

The python part is connecting to the vpn_url (portal & Gateway) and also to the okta_url (3rd Party service).

Especially in my case only vpn_url is really using and checking client certificates, okta does not know anything about our CA, But I now need to set okta_cli_cert to present my certificate to the gateway?

Is Okta really checking anyones client certificates? Is that a feature? At least for me they never asked for any client certificates.

I see the issue now. We have 5 different connections:

  1. to OKTA in Python script
  2. to PORTAL in Python script
  3. to GATEWAY in Python script
  4. to PORTAL in command-line
  5. to GATEWAY in command-line

If you would like to keep the newliy introduced separation I would suggest to rename vpn_cli_cert and a okta_cli_cert to vpn_cli_cert -> openconnect_cli_cert okta_cli_cert -> ??? (maybe gp-okta_cli_cert?) Maybe you have some idea?

At least having to set okta_cli_cert to present it to vpn_url seems not intuitive?

I was going with same naming scheme as _url. So okta_url will be provided okta_cli_cert and vpn_url withh be provided vpn_cli_cert. Doesn't that seem sane?

Only thing seem to fix code, where to use each certificate. Currently it wrongly uses okta_cli_cert for communication with portal/gateway in Python script.

Do You agree?

arthepsy

comment created time in a month

issue commentarthepsy/pan-globalprotect-okta

feedback after latest improvements

Could You try latest-commit and see if that works? If not, please, provide a full error.

arthepsy

comment created time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha b977409ae08f037ff151fefbe92aca24bd7c2e99

Write bytes, not str.

view details

push time in a month

push eventarthepsy/pan-globalprotect-okta

Andris Raugulis

commit sha bc46b987d6ee351b50cefe5a486400b775faf691

Rename example URLs.

view details

push time in a month

more