Home Verkennen Help
Registreren Inloggen
lkundrak
/
network-manager-openconnect
spiegel van git://github.com/lkundrak/network-manager-openconnect.git
Volgen 1
Ster 0
Vork 0
Bestanden Kwesties 0 Wiki
Aftakking: master
Aftakkingen Labels
network-mana...
/
auth-dialog
/
README

README 4.3 KB
Permalink Geschiedenis Ruwe

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495 
  1. <dcbw> dwmw2: that auth dialog does a shitload of work
    2. 

  2. 

  3. Indeed. But it's quite simple really.
    4. 

  4. 

  5. AnyConnect works over HTTPS; authentication is through HTTP forms and
    6. 

  6. POST responses. Once you've filled in the forms that the server demands,
    7. 

  7. you're rewarded with an HTTP cookie which is handed on to OpenConnect to
    8. 

  8. actually make the connection.
    9. 

  9. 

  10. The auth-dialog handles the arbitrary forms as the server presents them,
    11. 

  11. and spits out the cookie after a successful authentication. It's just a
    12. 

  12. really simple web-browser, effectively. (It has its own HTTP client
    13. 

  13. implementation instead of using libsoup because it needs to be able to
    14. 

  14. support certificates from a TPM, and to work around Cisco bugs).
    15. 

  15. 

  16. To make it slightly more fun, you have a *choice* of servers; an
    17. 

  17. AnyConnect VPN is provisioned with an XML file that gives various pieces
    18. 

  18. of configuration for the client. We ignore most of the XML file, except
    19. 

  19. the list of available VPN server addresses.
    20. 

  20. 

  21. So this is a brief flow of what the auth-dialog does...
    22. 

  22. 

  23.  1. Choose a server to connect to.
    24. 

  24. 

  25.     If we already have the XML configuration file for this VPN, you get
    26. 

  26.     to choose a server from the list. Otherwise, you only have the host
    27. 

  27.     that you configured in the VPN setup.
    28. 

  28. 

  29.     The auth-dialog will give you the choice of automatically connecting
    30. 

  30.     to the last server you used. It does so by storing the boolean
    31. 

  31.     'autoconnect' option, as well as the address of the last successful
    32. 

  32.     server, in "secrets" that NetworkManager stores for it, but which
    33. 

  33.     aren't actually used by OpenConnect itself at all.
    34. 

  34. 

  35.  2. (Offer your SSL certificate and) fill in all the forms it presents.
    36. 

  36. 

  37.     The server will present a sequence of forms which are filled in just
    38. 

  38.     like normal web forms. At this point, the auth-dialog is just acting
    39. 

  39.     like a really simple web browser. It uses the same trick with fake
    40. 

  40.     secrets to remember the answers for any multiple-choice selection,
    41. 

  41.     or input elements of type 'text'. Input elements of type 'password'
    42. 

  42.     are not currently saved, but probably should be.
    43. 

  43. 

  44.     The choices and input boxes that we fill in at this point may not be
    45. 

  45.     limited to *just* authenticating ourselves. You may also get to make
    46. 

  46.     choices which affect your resulting connectivity. Some networks
    47. 

  47.     offer the choice of full-tunnel or split-tunnel routing, IPv6 or
    48. 

  48.     Legacy-only connectivity, etc. (The routing configuration is not
    49. 

  49.     handled by the auth-dialog; that just manifests itself in the IP
    50. 

  50.     configuration which is given to OpenConnect by the server, much
    51. 

  51.     later when the connection is actually made.)
    52. 

  52. 

  53. (
    54. 

  54.  2½. Run the "Cisco Secure Desktop"[sic] trojan.
    55. 

  55. 

  56.     In some cases you are required to download a strange executable from
    57. 

  57.     the server and run it. It is supposed to perform various "checks" on
    58. 

  58.     your system and report its results to the server. The authentication
    59. 

  59.     sequence is kept in a holding pattern with HTTP refresh responses
    60. 

  60.     until the "trojan" has done its job.
    61. 

  61. 

  62.     Most people seem to bypass this crap and run a local tool of their
    63. 

  63.     own devising to report the "correct" results. It's just another
    64. 

  64.     simple HTTP POST, although the exact results that are expected may
    65. 

  65.     vary from one server/configuration to another.
    66. 

  66. 

  67.     Try not to think about it. It will only make you sad.
    68. 

  68. )
    69. 

  69. 

  70.  3. Note the 'webvpn' cookie.
    71. 

  71. 

  72.     Once authentication is complete, the server's HTTP response will
    73. 

  73.     include a 'webvpn' cookie.
    74. 

  74. 

  75.     This cookie is one of the three *real* secrets which are actually
    76. 

  76.     passed to OpenConnect to make the connection. The other two are
    77. 

  77.     the address of the server we finally ended up talking to (after
    78. 

  78.     the user's initial choice and any HTTP redirects), and a hash of
    79. 

  79.     the server's SSL certificate (to prevent MiTM attacks).
    80. 

  80. 

  81.  4. Check the XML configuration file.
    82. 

  82. 

  83.     With a successful authentication, we are *also* given the SHA1 of
    84. 

  84.     the current XML configuration for this VPN connection. If it differs
    85. 

  85.     from what we have, we are expected to fetch the new one. We store
    86. 

  86.     this, base64-encoded, in yet another fake "secret".
    87. 

  87. 

  88.  5. Dump all the "secrets" to NetworkManager.
    89. 

  89. 

  90.     Finally, we dump all the secrets to stdout so that NetworkManager can
    91. 

  91.     store them. Note that even on an *unsuccessful* attempt, we still
    92. 

  92.     output the secrets we do have. That includes the state of the
    93. 

  93.     "autoconnect" boolean option, for example, which would otherwise
    94. 

  94.     not get saved except on a successful connection.
    95. 

  95.