samm-git / jvpn Goto Github PK

Perl script to connect to the Juniper VPN with Host Checker enabled

Shell 6.94% C 6.34% Perl 86.72%

jvpn's Introduction

Project status update: i do not have access to the Juniper VPN host anymore, 
so project is stalled. Feel free to fork it or use one of the 30+ forks :)

jvpn.pl - script to connect to the Juniper firewall with enabled HostChecker.

Features
 * Emulates web browser to get authentication data
 * Automatically starts juniper client and passing data to it using TCP
   connection (it is not possible with command line).
 * Able to download Linux client from the Juniper VPN server without browser or
   Java.
 * Supports launching Host Checker to perform checks on a client host.
 * Could protect resolv.conf by setting +i attribute for the connection time
 * Works without Java machine on x86 and x86_64 hosts
 * Ability to run scripts on connect/disconnect events
 * Integration with external password/token providers, including "stoken" RSA
   softkey.

Requirements 
 * Perl with LWP modules
 * openssl binary
 * unzip (only for client unpacking)

Usage
To configure script edit jvpn.ini. If you don`t have installed client - run
jvpn.pl under sudo and it will download and install it automatically. If you 
want to run it without sudo - set suid bit on the "ncsvc" binary.
If you have multiply configurations - use --conf switch to define ini file.

How it works
 1) Script connecting to the VPN web portal with provided user name and password.
 2) Then script handling different authentication scenarios to get DSID value
 3) After getting DSID value script getting md5 fingerprint of the SSL 
    certificate.
 4) If VPN client is not installed script downloading and unpacking it.
 5) Script starting ncsvc and connecting to daemon (using TCP 127.0.0.1:4242
    socket in ncsvc mode or using "ncui" wrapper in ncui mode).
 6) Script emulates native GUI and passing configuration data to daemon. After
    this step VPN should work.
 7) Script can optionally protect resolv.conf from dhcpd or Network Manager by
    setting +i flag on it (disabled by default).
 8) On Ctrl+C script sending "Disconnect" command to the daemon and logging out
    on the web site.

Difference between mode=ncui and mode=ncsvc
By default jvpn work in the ncsvc mode. This could be changed in jvpn.ini using
"mode" configuration setting. In ncsvc (default) mode jvpn establishing TCP 
socket to nvsvc daemon and trying to establish connection using it protocol.
In "ncui" mode jvpn trying to use main() function libncui.so which later calling
ncsvc. If default mode does not work for you i am recommending to try "ncui"
mode. Please note that to use ncui mode you should have gcc installed.

Scripting support
It is possible to run user-defined scripts on conncect/disconnect events. To
use this functionality you will need to define script to run in the jvpn.ini
using script=<scriptname> line. Script should be executable file.
List of pre-defined variables and sample route table modification could be found 
in scripts/sample-script.sh.

Different ways to provide password
By default jvpn asks for password on startup. It is also possible to define
password in configuration file or to use external program to provide pass/token.
To store password in configuration use "password=plaintext:mypassword" in ini
file. To use external scripts use "password=helper:scripts/script.sh".
Helper script should provide password to stdout. If it is called second time
(some VPN servers requesting additional tokens) jvpn defines OLDPIN variable
containing first token code. See scripts/stoken.sh for example of "stoken"
integration.

Host checker support
In version 0.7.0 it is possible to run hostchecker using "hostchecker=1" setting
in jvpn.ini. Host Checker is used to perform checks on endpoint computers that
connect to the VPN device to make sure the endpoints meet certain security
requirements. If hostchecker support is enabled jvpn trying to run tncc.jar using
Java, as web browser applet do. JRE needs to be installed to support this
feature. It is recommended to enable only if you are unable to connect without
host checker running.

Bugs and debugging
This script is done without any documentation, only using wireshark and
debugger. It is very likely that it has a bugs or will not work correctly for
you. If you need some support - enable debug and send me all information.
Script debug is written to stdout and daemon log is written to the
~/.juniper_networks/network_connect/ncsvc.log file.

License
The author has placed this work in the Public Domain, thereby relinquishing
all copyrights. Everyone is free to use, modify, republish, sell or give away
this work without prior consent from anybody.

This software is provided on an "as is" basis, without warranty of any
kind. Use at your own risk! Under no circumstances shall the author(s) or
contributor(s) be liable for damages resulting directly or indirectly from
the use or non-use of this software.

Author
Alex Samorukov, [email protected]

jvpn's People

Contributors

Stargazers

Watchers

jvpn's Issues

Error connecting to 127.0.0.1:4242 : Connection refused at ./jvpn.pl line 760.

Enter username: username
Enter PIN+password: *****************
Transfer went ok
socket opened
TCP Connection to the tncc.jar process established.
Sending data to tncc... [done]
Got DSID
Certificate fingerprint: [d8cb922c47cff3b1cf7480b7844653b]
Error connecting to 127.0.0.1:4242 : Connection refused at ./jvpn.pl line 760.

String Unpack Crash

After successfully connecting to my VPN, occasionally the connection will die with the following error: 'x' outside of string in unpack at ./jvpn.pl line 556..

Ultimately, it is not a show stopper issue because I can always restart the connection. It is just a nuisance.

Failed to get DSID

getting the below error.

Enter PIN+password: *********
Transfer went ok
Got DSID
Unable to get DSID, exiting

Any way to debug this?

add support for password#2 field

    * Do not overwrite global password variable in run_pw_helper().
    * Print a helpful error message if executing a helper script for passwords failed.
    * Print a helpful error message if the SSL-VPN appliance is requesting that the password be changed before login.
    * Allow usage of the password#2 field (usually via a helper script that pops up a kdialog or similar asking for the next token code).


diff --git a/jvpn.pl b/jvpn.pl
index 1f42ef3..8a2f270 100755
--- a/jvpn.pl
+++ b/jvpn.pl
@@ -54,8 +54,10 @@ my $verifycert=$Config{"verifycert"};
 my $mode=$Config{"mode"};
 my $script=$Config{"script"};
 my $cfgpass=$Config{"password"};
+my $cfgpass2=$Config{"password2"};
 my $workdir=$Config{"workdir"};
 my $password="";
+my $password2="";
 my $hostchecker=$Config{"hostchecker"};
 my $tncc_pid = 0;
 
@@ -86,6 +88,14 @@ if(defined $cfgpass){
 }
 else { $cfgpass="interactive"; }
 
+if(defined $cfgpass2){
+       if($cfgpass2 !~ /^(interactive|helper:|plaintext:)/) {
+               print "Configuration error: password is set incorrectly ($cfgpass2), check jvpn.ini\n";
+               exit 1;
+       }
+}
+else { $cfgpass2="none"; }
+
 # set host checker mode
 $hostchecker=0 if !defined($mode);
 # set default url if needed
@@ -153,11 +163,30 @@ elsif ($cfgpass =~ /^helper:(.+)/) {
        $password=run_pw_helper($1);
 }
 
+if ($cfgpass2 eq "none") {
+       $password2="";
+}
+elsif ($cfgpass2 eq "interactive") {
+       print "Enter token code: ";
+       $password2=read_input("password");
+       print "\n";
+}
+elsif ($cfgpass2 =~ /^plaintext:(.+)/) {
+       print "Using user-defined password#2\n";
+       $password2=$1;
+       chomp($password2);
+}
+elsif ($cfgpass2 =~ /^helper:(.+)/) {
+       print "Using user-defined script to get the password#2\n";
+       $password2=run_pw_helper($1);
+}
+
 my $response_body = '';
 
 my $res = $ua->post("https://$dhost:$dport/dana-na/auth/$durl/login.cgi",
        [ btnSubmit   => 'Sign In',
        password  => $password,
+       'password#2' => $password2,
        realm => $realm,
        tz   => '60',
        username  => $username,
@@ -281,6 +310,12 @@ if ($res->is_success) {
                        $narsocket->close();
                }
        }
+
+       if ($response_body =~ /passwordChange/) {
+               print "The password for the account needs to be changed due to server-side policy, use the web interface to change it.\n";
+               exit 1;
+       }
+
        # active sessions found
        if ($response_body =~ /id="DSIDConfirmForm"/) {
                $response_body =~ m/name="FormDataStr" value="([^"]+)"/;
@@ -689,12 +724,16 @@ sub parse_config_file {
 
 sub run_pw_helper {
        my $pw_script="";
+       my $pwd;
        ($pw_script) = @_;
        if (-x $pw_script){
-               $password=`$pw_script`;
-               chomp $password;
+               $pwd=`$pw_script`;
+               chomp $pwd;
+       } else {
+               print "Could not find password helper script ($pw_script), check jvpn.ini.";
+               exit 1;
        }
-       return $password;
+       return $pwd;
 }
 
 sub tncc_start {

add missing semicolon

diff --git a/jvpn.pl b/jvpn.pl
index addf344..1f42ef3 100755
--- a/jvpn.pl
+++ b/jvpn.pl
@@ -692,7 +692,7 @@ sub run_pw_helper {
        ($pw_script) = @_;
        if (-x $pw_script){
                $password=`$pw_script`;
-               chomp $password
+               chomp $password;
        }
        return $password;
 }

Unable to start tncc.jar process at ./jvpn.pl line 725.

Any clues on this one..

Transfer went ok
socket opened
Unable to start tncc.jar process at ./jvpn.pl line 725.

proper setting of suid flag on auto-downloaded ncsvc

    * Fix permissions on ncsvc and ncui before setting suid flag.
    * Set suid flag on ncsvc and ncui so running without root works on next execution.
    * Always compile ncui (but only fail on errors if mode=ncui).

diff --git a/jvpn.pl b/jvpn.pl
index af78e60..576aab0 100755
--- a/jvpn.pl
+++ b/jvpn.pl
@@ -368,21 +368,37 @@ if (!-e "./$mode") {
        if ($res->is_success) {
                print "Done, extracting\n";
                system("unzip -o ncLinuxApp.jar ncsvc libncui.so && chmod +x ./ncsvc");
+               system("chmod go-w ./ncsvc");
+               system("chmod ug+x ./ncsvc");
+               if( $> == 0 ) {
+                       system("chmod u+s ./ncsvc");
+               } else {
+                       printf "failed to chmod +s ncsvc (not running as root), please do this manually...\n";
+               }
+               if(!-e 'wrapper.c'){
+                       printf "wrapper.c not found in ".getcwd()."\n";
+                       printf "Please copy this file from jvpn distro and try again";
+               }
+               printf "Trying to compile 'ncui'. gcc must be installed to make this possible\n";
+               system("gcc -m32 -o ncui wrapper.c -ldl  -Wall >compile.log 2>&1 && chmod +x ./ncui");
+               if (!-e "./ncui") {
+                       printf("Error: Compilation failed, please compile.log\n");
+               }
+               else {
+                       printf("ncui binary compiled\n");
+                       system("chmod go-w ./ncui");
+                       system("chmod ug+x ./ncui");
+                       if( $> == 0 ) {
+                               system("chmod u+s ./ncui");
+                       } else {
+                               printf "failed to chmod +s ncui (not running as root), please do this manually...\n";
+                       }
+               }
                if($mode eq "ncui") {
                        if(!-e 'wrapper.c'){
-                               printf "wrapper.c not found in ".getcwd()."\n";
-                               printf "Please copy this file from jvpn distro and try again";
                                exit 1;
                        }
-                       printf "Trying to compile 'ncui'. gcc must be installed to make this possible\n";
-                       system("gcc -m32 -o ncui wrapper.c -ldl  -Wall >compile.log 2>&1 && chmod +x ./ncui");
                        if (!-e "./ncui") {
-                               printf("Error: Compilation failed, please compile.log\n");
                                exit 1;
                        }
-                       else {
-                               printf("ncui binary compiled\n");
-                       }
                }
        }
        else {

Broken again...

With each release, Junos make life harder. Why break things that work?...

Now I receive a 302 response for login.cgi.

Chrome log: https://app.box.com/s/prk27cq96rf8qi4uyo45

Wrong subroutine name is called when there is a request entering an additional PIN.

diff --git a/jvpn.pl b/jvpn.pl
index 947ebc4..7d46fd9 100755
--- a/jvpn.pl
+++ b/jvpn.pl
@@ -182,7 +182,7 @@ if ($res->is_success) {
                        print $1;
                        print "\n";
                        print "Enter challenge response: ";
-                       $password=read_password();
+                       $password=read_input("password");
                        print "\n";
                }
                # if password was specified in plaintext we should not use it 
@@ -191,7 +191,7 @@ if ($res->is_success) {
                        print "To continue, wait for the token code to change and ".
                        "then enter the new pin and code.\n";
                        print "Enter PIN+password: ";
-                       $password=read_password();
+                       $password=read_input("password");
                        print "\n";
                }
                elsif ($cfgpass =~ /^helper:(.+)/) {

tell user how NCSVC failed when status returned is "6e", if possible

    Show ncsvc error message when communication with daemon fails.

diff --git a/jvpn.pl b/jvpn.pl
index 947ebc4..1cef4f1 100755
--- a/jvpn.pl
+++ b/jvpn.pl
@@ -452,7 +452,8 @@ if($mode eq "ncsvc") {
        # exit on any other values
        
        if($status ne "6d") {
-               printf("Status=$status\nAuthentication failed, exiting\n");
+               printf("Status=$status\nError via IPC from ncsvc, exiting\n");
+               system("grep -B2 disconnecting ~/.juniper_networks/network_connect/ncsvc.log | tail -n 3");
                system("./ncsvc -K");
                exit(1);
        }

Error with tncc

Exception in thread "main" java.lang.NoClassDefFoundError: netscape/javascript/JSObject                                                                  
        at com.neoteris.Logger.a(Unknown Source)                                                                                                         
        at com.neoteris.Logger.a(Unknown Source)                                                                                                         
        at com.neoteris.Logger.if(Unknown Source)                                                                                                        
        at com.neoteris.Logger.log(Unknown Source)                                                                                                       
        at net.juniper.tnc.NARPlatform.linux.LinuxNARlatform.logInfo(LinuxNARlatform.java:111)
        at net.juniper.tnc.HttpNAR.NARUtil.logInfo(NARUtil.java:59)
        at net.juniper.tnc.HttpNAR.HttpNAR.initialize(HttpNAR.java:193)
        at net.juniper.tnc.NARPlatform.linux.LinuxHttpNAR.main(LinuxHttpNAR.java:50)
Caused by: java.lang.ClassNotFoundException: netscape.javascript.JSObject
        at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
        ... 8 more

Jar can be found here

samm-git / jvpn Goto Github PK

jvpn's Introduction

jvpn's People

Contributors

Stargazers

Watchers

Forkers

jvpn's Issues

Recommend Projects

Recommend Topics

Recommend Org