|
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182 |
- Juniper VPN Authenticator:
-
- This script authenticates with a Juniper VPN server to generate a session
- cookie (DSID), and then passes that cookie to a VPN client.
-
- Example usage with openconnect:
-
- ./juniper-vpn.py --host vpn.example.com --username joeuser --stdin DSID=%DSID% \
- openconnect --juniper %HOST% --cookie-on-stdin
-
- This will connect to vpn.example.com and prompt the user for a authentication
- password. Once authenticated, the session cookie will be passed to openconnect
- which will connect to the VPN. Note that because the DSID provides full access
- to the VPN, it can be easily passed via stdin to avoid having it show up
- in the process list.
-
- Juniper Networks Host Checker:
-
- A python module, tncc.py, is integrated with juniper-vpn.py and provides
- support for VPN sites which require a host checker step. It is currently only
- tested on a subset of sites and does not yet support sites that require
- periodic host checker updates.
-
- Command line options:
-
- juniper-vpn.py [-h HOST] [-u USERNAME] [-o OATH] [-c CONFIG] [-s STDIN] \
- <external program> <external program arguments...>
-
- -h --host
- VPN server to access. This option is required.
-
- -u --username
- Username to authenticate with. This option is required.
-
- -p --pass_prefix
- Optional, used for passwords composed of fixed prefix and variable postfix.
- This is fixed prefix part.
-
- -o --oath
- OATH key to use for OTP generation if required for authentication.
- Key should be in hex format.
-
- -c --config
- Config file. Rather than passing arguments on the command line,
- they can be contained within a config file. Command line arguments
- override config file options. See sample.cfg for documentation.
-
- -s --stdin
- Provide input to external program. This allows the cookie to be passed
- on stdin, avoiding having it appear in the process list. The string
- %DSID% will be replaced with the DSID cookie value. The string %HOST%
- will be replaced with the server hostname.
-
- <external program> <external program arguments...>
- Runs the external program with the supplied arguments when a cookie
- is generated. %DSID% in any argument is replaced with the DSID cookie
- value. %HOST% in any argument is replaced with the server hostname.
- If the external program returns a positive return code, it is assumed
- that a fatal error has occurred (such as bad command line arguments)
- and the script exits. If the external program returns -EPERM, it is
- assumed that the DSID is no longer valid and a new one is generated.
- For all other return codes, the external program is simply called again.
- An external program is required.
-
- Running without root or tun access:
-
- openconnect provides two options for running without any special permissions.
- The first option is to create a tun device in advance and configure permissions
- for user access.
-
- The second is to redirect the traffic for the tun device to an external program.
- This external program can then configure a user-level SOCKS proxy:
-
- ./juniper-vpn.py -c example.cfg -s DSID=%DSID% \
- openconnect --juniper %HOST% --cookie-on-stdin --script-tun \
- --script "tunsocks -D 1080"
-
- Both tunsocks and ocproxy can perform this role:
-
- http://github.com/russdill/tunsocks
- http://repo.or.cz/w/ocproxy.git
-
|