HowTo: Connect to Cisco VPN using Aladdin eToken on Linux (Ubuntu)
More recently, I decided to transfer my home computer from Windows to Linux. That is, the idea has been wandering around for some time, fueled by news from the fronts of fighting the voluntary-forced installation of Windows 10 and reflections on the inevitable obsolescence of the “seven” after XP, but the release of the next Ubuntu LTS release was the reason. In this case, the main motive of such a transition, I will call a simple curiosity: the home computer is mainly used for entertainment, and familiarity with the new OS is entertainment no worse than others. And entertainment, I think, is useful in terms of expanding horizons. The distribution kit from Canonical was simply chosen as the most popular: I consider it to be an important help when I first met the system.
Pretty quickly, I learned from my own experience that Ubuntu is quite suitable for cats and movies. But, since the computer is also used for remote work, there was not enough configured connection to Cisco VPN with authorization by eToken to reject Windows.
It was clear that at least a token driver and some VPN client would be needed for the connection. As a result of searches in the network, we got the following list:
')
Since to establish an OpenConnect connection, a client certificate URL is required, which can be obtained using the p11tool utility, and both programs need a driver for working with a smart card — let's get started with installing this driver.
As reasonably noted in the article about setting up eToken in Ubuntu 12.04, the link to the SafeNet Authentication Client is almost secret. But at the same time, on the Internet, a more recent article about similar dances with a tambourine was found already at 14.04, with a live link to the distribution somewhere in the Brazilian branch of SafeNet. What is even more interesting, on the same server there is a file with the current version of the client - 9.1, which, hooray, does not require outdated libraries. The correct way to get a customer is, of course, to contact your key supplier.
Currently, the SafenetAuthenticationClient-9.1.7-0_amd64.deb package (or SafenetAuthenticationClient-9.1.7-0_i386.deb for 32-bit systems) is simply double-clicked on it in the file manager. But during the start of work on this material, an error in Ubuntu Software has not yet been fixed, because of which the installation of third-party packages did not work. Therefore was written
Upon successful installation, the SafeNet Authentication Client Tools application appears in the Applications menu.
The first of these articles was very useful to me as a whole, but for one line I am especially grateful to the author. Here she is:
The fact is that at a certain point I was completely stuck, not understanding why the token from the native client is visible, but not via p11tool. And it was from here that I understood where the actual driver is. Knowing the path to the driver, we install and configure GnuTLS according to the instructions .
Now any application using GnuTLS can work with the token. And we can use the p11tool utility to find out the URL of our certificate.
You can list the certificates that are in the token by the following command:
The p11tool output looks like this:
There may be several certificates, and one specific is required for connection. In the instructions for p11tool from OpenConnect in this situation, they offer to try everyone. I, for comparing the certificate with its URL, compiled a small script that displays both the URL and the text data of each certificate:
Here, in a loop, by URLs of the objects, p11tool --info displays the certificate data in its view, and p11tool --export sends the certificate in the format of a pem-file to the openssl input, which displays the textual representation. To transfer to OpenConnect, we need one where the Client Authentication string is found - we remember its URL. In addition, if the server uses a self-signed certificate, we also remember the object URL with the flag CKA_CERTIFICATE_CATEGORY = CA.
We export the certificate of the certification authority to a file (the entire URL is optional — as long as it uniquely identifies the object):
Install:
The minimum set of arguments for the connection is given in the following command:
If the server uses a self-signed certificate, when running in this form, OpenConnect will clarify whether we trust the server, and in addition, the terminal window will be occupied. Therefore, slightly expand the command:
With the help of cafile we specified the certificate of the certifying center - now there will be no question regarding the trust in the server. The background option speaks for itself, and pid-file allows you to specify the name of the file in which the background process ID is stored. In addition, the token's password can be specified directly in the URL using the pin-value attribute. But this is somewhat ... unsafe.
Stop the background process correctly with the following command:
According to SIGINT, OpenConnect correctly terminates the connection, and if the connection is “hard”, there may be problems on the next connection. Although I did not have.
The task is solved, and I happily use Remmina for remote access, which I launch right after connecting to vpn, adding the following command to the OpenConnect startup script:
True, I had to disable clipboard synchronization: otherwise, it does not work on a remote machine in some applications; and enable the “Disable tray icon” setting: otherwise, every time you connect, a new icon is added to the tray. Again, the transition to the home directory before calling Remmina is no accident: the application does not see the path~ / .remmina / myconnection.remmina to honor , and it seems to me wrong to specify the full path with the user name.
I will not draw conclusions about the applicability of Linux at home - for now I have enough, and the article is designed exactly as HowTo.
PS: The final choice of the Ubuntu version was influenced by the solution to this problem: in the fifth, included in Ubuntu 14.04, version of OpenConnect, an error was detected that prevented connection establishment. For the sake of the seventh version of OpenConnect devoid of that error, I set the possibly even raw 16.04.
References to the materials used:
HowTo: Internet banking for legal entities using Aladdin eToken in Linux (Ubuntu)
Install SafeNet eToken PRO on Ubuntu 14.04 LTS
Invoking p11tool by GnuTLS
OpenConnect Smart Card / PKCS # 11 support
Pretty quickly, I learned from my own experience that Ubuntu is quite suitable for cats and movies. But, since the computer is also used for remote work, there was not enough configured connection to Cisco VPN with authorization by eToken to reject Windows.
A set of programs
It was clear that at least a token driver and some VPN client would be needed for the connection. As a result of searches in the network, we got the following list:
')
- OpenConnect - VPN client, “completely by chance” compatible with Cisco “AnyConnect” servers
- GnuTLS is a free implementation of the TLS and SSL protocols. What is important, this library includes the p11tool utility for working with smart cards.
- SafeNet Authentication Client - a set of drivers and additional utilities that provides work with electronic keys eToken
Since to establish an OpenConnect connection, a client certificate URL is required, which can be obtained using the p11tool utility, and both programs need a driver for working with a smart card — let's get started with installing this driver.
Installing an eToken Client
As reasonably noted in the article about setting up eToken in Ubuntu 12.04, the link to the SafeNet Authentication Client is almost secret. But at the same time, on the Internet, a more recent article about similar dances with a tambourine was found already at 14.04, with a live link to the distribution somewhere in the Brazilian branch of SafeNet. What is even more interesting, on the same server there is a file with the current version of the client - 9.1, which, hooray, does not require outdated libraries. The correct way to get a customer is, of course, to contact your key supplier.
Currently, the SafenetAuthenticationClient-9.1.7-0_amd64.deb package (or SafenetAuthenticationClient-9.1.7-0_i386.deb for 32-bit systems) is simply double-clicked on it in the file manager. But during the start of work on this material, an error in Ubuntu Software has not yet been fixed, because of which the installation of third-party packages did not work. Therefore was written
instructions for downloading and installing the client through the console
wget --user-agent="Mozilla" http://www.proteq.com.br/download/sac/sac9.1_linux.zip # user-agent unzip sac9.1_linux.zip -d sac # , mkdir sacmnt # , iso sudo mount -o loop sac/SAC_9_1_Linux.iso sacmnt # sudo - # mount -o loop sudo dpkg -i sacmnt/Installation/Standard/DEB/SafenetAuthenticationClient-9.1.7-0_amd64.deb # sudo apt install --fix-broken # # sudo umount ./sacmnt # rm -d sacmnt # rm -r sac # , Upon successful installation, the SafeNet Authentication Client Tools application appears in the Applications menu.
Install and configure GnuTLS
The first of these articles was very useful to me as a whole, but for one line I am especially grateful to the author. Here she is:
pkcs11-tool - module /usr/lib64/libeTPkcs11.so -L
The fact is that at a certain point I was completely stuck, not understanding why the token from the native client is visible, but not via p11tool. And it was from here that I understood where the actual driver is. Knowing the path to the driver, we install and configure GnuTLS according to the instructions .
sudo apt install gnutls-bin sudo mkdir /etc/pkcs11 sudo mkdir /etc/pkcs11/modules echo 'module: /usr/lib/libeTPkcs11.so' > eToken.module # eToken.module sudo mv eToken.module /etc/pkcs11/modules # , GnuTLS Now any application using GnuTLS can work with the token. And we can use the p11tool utility to find out the URL of our certificate.
Read token data
You can list the certificates that are in the token by the following command:
p11tool --login --list-certs 'pkcs11:model=eToken' The p11tool output looks like this:
Object 0:
URL: pkcs11: model = eToken; manufacturer = SafeNet% 2c% 20 Inc.; Serial = 99999999; token = Username; id =% XX% XX; object =% 7bXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXX7d; type = cert
Type: X.509 Certificate
Label: {XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXX}
ID: XX: XX
Object 1: ...
There may be several certificates, and one specific is required for connection. In the instructions for p11tool from OpenConnect in this situation, they offer to try everyone. I, for comparing the certificate with its URL, compiled a small script that displays both the URL and the text data of each certificate:
sudo apt install openssl # - p11tool --login --list-certs 'pkcs11:model=eToken' | grep -P pkcs11.+id.* -o | while read -r line; do p11tool --info "$line"; p11tool --export "$line" | openssl x509 -text; done Here, in a loop, by URLs of the objects, p11tool --info displays the certificate data in its view, and p11tool --export sends the certificate in the format of a pem-file to the openssl input, which displays the textual representation. To transfer to OpenConnect, we need one where the Client Authentication string is found - we remember its URL. In addition, if the server uses a self-signed certificate, we also remember the object URL with the flag CKA_CERTIFICATE_CATEGORY = CA.
We export the certificate of the certification authority to a file (the entire URL is optional — as long as it uniquely identifies the object):
p11tool --export 'pkcs11:model=eToken;...' > CA.pem # URL Finally OpenConnect
Install:
sudo apt install openconnect The minimum set of arguments for the connection is given in the following command:
sudo openconnect --certificate 'pkcs11:model=eToken;id=%XX%XX' your.vpn.server.com # %XX%XX - id If the server uses a self-signed certificate, when running in this form, OpenConnect will clarify whether we trust the server, and in addition, the terminal window will be occupied. Therefore, slightly expand the command:
sudo openconnect --certificate 'pkcs11:model=eToken;id=%XX%XX' --cafile=CA.pem --background --pid-file=connect.pid your.vpn.server.com > connect.log # UPD: certificate With the help of cafile we specified the certificate of the certifying center - now there will be no question regarding the trust in the server. The background option speaks for itself, and pid-file allows you to specify the name of the file in which the background process ID is stored. In addition, the token's password can be specified directly in the URL using the pin-value attribute. But this is somewhat ... unsafe.
Stop the background process correctly with the following command:
sudo kill --signal SIGINT $(< connect.pid) # $() - , .. kill stdin According to SIGINT, OpenConnect correctly terminates the connection, and if the connection is “hard”, there may be problems on the next connection. Although I did not have.
Afterword
The task is solved, and I happily use Remmina for remote access, which I launch right after connecting to vpn, adding the following command to the OpenConnect startup script:
cd ~ remmina --connect=./.remmina/myconnection.remmina True, I had to disable clipboard synchronization: otherwise, it does not work on a remote machine in some applications; and enable the “Disable tray icon” setting: otherwise, every time you connect, a new icon is added to the tray. Again, the transition to the home directory before calling Remmina is no accident: the application does not see the path
I will not draw conclusions about the applicability of Linux at home - for now I have enough, and the article is designed exactly as HowTo.
PS: The final choice of the Ubuntu version was influenced by the solution to this problem: in the fifth, included in Ubuntu 14.04, version of OpenConnect, an error was detected that prevented connection establishment. For the sake of the seventh version of OpenConnect devoid of that error, I set the possibly even raw 16.04.
References to the materials used:
HowTo: Internet banking for legal entities using Aladdin eToken in Linux (Ubuntu)
Install SafeNet eToken PRO on Ubuntu 14.04 LTS
Invoking p11tool by GnuTLS
OpenConnect Smart Card / PKCS # 11 support
Source: https://habr.com/ru/post/301700/
All Articles