{ "info": { "author": "Ralf Schlatterbeck", "author_email": "rsc@runtux.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 3 - Alpha", "Intended Audience :: Developers", "Intended Audience :: Information Technology", "Intended Audience :: Science/Research", "Intended Audience :: System Administrators", "License :: OSI Approved :: BSD License", "Operating System :: POSIX :: Linux", "Programming Language :: Python", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6" ], "description": "=======\nSNX-VPN\n=======\n\nBy Ralf Schlatterbeck\n\nThis is a project to connect to a Checkpoint SSL-VPN from a Linux\nclient. The current version of checkpoint SNX (SSL Network Extender) for\nLinux no longer supports a command-line mode. The supported version\ninvolves a Browser with Java and is heavily dependent on the correct\nJava version and other configuration options in the Browser. Moreover it\nseems to only work with the Mozilla browsers (Firefox) not with others\nlike Chrome. Last not least Java and the Browser like to die frequently.\n\nThe current Checkpoint solution still depends on a command-line utility\ncalled ``snx`` that needs root privileges and is installed either via\nautomatic download (and install) from Java or by hand. The web-page for\nthe SSL-VPN usually supports download of the correct snx-version for\nthat endpoint for manual installation.\n\nIn the new solution the ``snx`` binary is called with the undocumented\n``-Z`` Option. In that mode it does not do the password negotiation\n(which is done via the browser) but is only used for setting up the VPN\nconnection.\n\nThis project is an attempt to duplicate the Browser-based login with a\nstandalone program (in python) to get rid of all the Java version and\nBrowser intergration headache. We still rely on the ``snx`` binary by\nCheckpoint which is called with the undocumented ``-Z`` option.\n\nSo far this is working for me with a Checkpoint SSL that uses username\nand password authentication and in addition a one-time password\ntransmitted via SMS to the telephone of the person trying to connect.\nIf you're using certificate-based login or other methods, this will\nprobably not work for you out-of-the-box but you may want to help me\nmake it work.\n\nInstall and Run\n---------------\n\nInstall via ``pip`` is the preferred way (replace ``pip`` with ``pip3``\nif you want to install for python3)::\n\n pip install snxvpn\n\nThe following dependencies are needed but should be picked up\nautomagically if you install via ``pip``:\n\n- Beautiful Soup version 4 (``python-bs4`` Debian package)\n- pycrypto (``python-crypto`` Debian package)\n\nAfter installation you should be able to run ``snxconnect --help`` to\nfind out about options. At least a host, and username must be given,\neither on the command-line via options or in a config file (see below).\n\nThe ``snxconnect`` program will currently create two files in the\ncurrent working directory where the program is started:\n\n- ``snxanswer``: The not-yet-reverse-engineered answer of Checkpoint's\n ``snx`` program to the caller, only created if the ``--debug`` option\n is given\n- ``$HOME/.snxcookies``: The cookies from the remote end in the format known\n from the perl LWP library (available in python as LWPCookieJar), this\n is only created if the ``--save-cookies`` option is given. The default\n cookie filename can be changed with the ``--cookiefile`` option.\n\nIf a cookie file is found, ``snxconnect`` tries to reconnect without\nasking for a password. This can be used if the connection has died\nprematurely before the connection time ran out. And, yes, it might be a\nsecurity risk to save cookies to disk, so you have to explicitly enable\nthis feature by setting ``save-cookies true`` in the config file or\ngiving the ``--save-cookies`` option. Note that the cookies of course\nonly have a limited lifetime and your connection isn't very secure if\nyou cannot be sure of the files on your disk. Moreover all users of the\ncurrent machine can access the VPN connection anyway.\n\nWhen you run Checkpoints ``snx`` for the first time with ``snxconnect`` it\ncreates an X-Windows popup that lets you confirm the server fingerprint.\nI've not seen this popup with the Java framework (but Java died several\ntimes during my first experiments which is one of the reasons I wrote\n``snxvpn``, so that might be the reason I hadn't seen the popup\nbefore). You have to confirm this popup. The server fingerprint is\nstored into a file with extension ``.db`` in ``/etc/snx``.\n\nFor configuration, ``snxconnect`` accepts a config file\n``$HOME/.snxvpnrc``. The options there are the command-line long options\n(obtained with --help) where a '-' is replaced with '_'. For\ncompatibility with ``.snxrc``, the keyword ``server`` is an alias for\n``host``. You can see which options were picked up from the config-file\nby specifying ``--help``, where defaults are displayed, the defaults\nfrom the config-file are displayed. Command-line options take precedence\nover config-file entries.\n\nIn addition a ``.netrc`` file is supported that can contain username and\npassword by host name. Note that storing long-term login credentials on\ndisk is a security risk. See the manual page for ``netrc`` for further\ndetails.\n\nTo install from source (from a ``git`` checkout) you need my\nsfreleasetools_ from Sourceforge. This adds the necessary ``Makefile``\nincludes to create the ``snxvpnversion.py`` from the git tag containing\nthe latest version number. You can either install sfreleasetools_ in a\nsibling directory of ``snxvpn`` called ``releasetools`` or set the\nenvironment variable RELEASETOOLS pointing to your cloned version.\nYou also need the ``rst2html`` command provided by ``docutils``, on\nDebian Linux you can obtain it by installing the ``python-docutils``\npackage.\n\nOnce this is installed, call ``make`` without arguments. This will\ncreate the ``snxvpnversion.py`` which is used by the ``setup.py``\nscript.\n\n.. _sfreleasetools: https://sourceforge.net/projects/sfreleasetools/\n\nOnce the snxvpnversion.py has been created, the ``snxvpn`` package can\nbe installed with normal::\n\n python setup.py install --prefix=/usr/local\n\n\nNotes on ``snx`` Installation\n-----------------------------\n\nFrom many posts on various mailinglists and forums, it is clear that\ninstalling ``snx`` isn't straightforward. You need some non-standard\nlibraries installed that ``snx`` needs to function. Moreover ``snx`` is\na binary for the ``i386`` architecture, not a modern 64-bit AMD/Intel\narchitecture. I can only give hints for Debian installation here but the\ngeneral steps will apply to other distributions, too.\n\nObtaining the snx binary in the first place can usually be achieved by\nconnecting via web-browser to the SSL-VPN site via the browser, log in\nand (in my installation here at least) look in the *Settings* (in german\n*Einstellungen*) menu for an entry native application settings or\nsimilar (german \"Native Anwendungseinstellungen bearbeiten\"). In this\nmenu I do have links for manual download of ``snx`` for Linux and\nMac-OS.\n\nFirst of all if you're on a 64-bit architecture (called ``amd-64`` at\nleast by Debian) you need to enable multi-architecture support with::\n\n dpkg --add-architecture i386\n apt-get update\n\nThen you need to install some packages that contain libraries needed by\n``snx``, notably:\n\n- ``libstdc++5:i386``\n- ``libxcb1:i386``\n- ``libaudit1:i386``\n- ``libgcc1:i386``\n- ``libxau6:i386``\n- ``libxdmcp6:i386``\n\nTo check if you have all necessary libraries, you can run ``ldd`` on the\n``snx`` binary (with sudo to root)::\n\n sudo ldd /usr/bin/snx\n\nThis should list a library file for each line and should not report any\nmissing libraries.\n\nSome Notes on the Mechanisms\n----------------------------\n\nThis section discusses some of the internals of how the ``snx`` program\nis called by the Java framework and ``snxconnect``.\n\nThe Login process via the browser is a standard login page with lots of\nJavascript and redirects. Passwords are sent in encrypted form to the\nVPN gateway. The encryption uses a 2048 bit RSA key and pads the\npassword with random data before encryption (this is *good*). During\nlogin the browser (or this program) picks up a lot of cookies and can\naccess necessary login information via Javascript. This information\nincludes:\n\n- RSA public key for the password encryption\n- Username to be passed to ``snx``\n- A one-time password (different from the one received via telephone) to\n be passed to ``snx``\n- Host name for TLS connection\n- Port for TLS connection\n- A server fingerprint\n\nAll these (except the RSA key) are passed to the ``snx`` program for\nestablishing the connection. The connection might use PPP internally as\nsome of the error messages (which are sent as part of the i18n info in\nJavascript and map the error codes of ``snx`` to human-readable\nmessages) suggest.\n\nIf you call ``snx`` with the undocumented ``-Z`` option by hand, it\nwill terminate immediately. It obviously has other checks in place if it\nis called \"correctly\". To call ``snx`` correctly with this option,\n``snx`` expects that standard input, output and error are UNIX pipes.\nOnly if something goes wrong and ``snx`` dies with an error-message,\nthese pipes are ever used. After startup, ``snx`` checks the existence\nof a logfile and creates it if it doesn't exist or is not locked by\nanother ``snx`` process. Then it creates some other lockfiles in\n``/etc/snx/tmp`` and then immediately forks a child process and lets the\nparent process terminate. This forking and terminating sends the child\nprocess to the background. The first step the child process does is\nclose the file-descriptors for standard input, output, and error.\n\nAfter this, ``snx`` opens and listens on a TCP socket on port 7776 on\nthe local machine. I haven't found options for telling ``snx`` to use\nanother port. The calling application (e.g., ``snxconnect`` or the\noriginal Java framework) is expected to pass the connection information\ndetailed above in an undocumented binary format. After that ``snx``\nestablishes a VPN connection and reports back with another blob of\nbinary information on the same socket. The socket must then be kept open\nby the calling application, otherwise ``snx`` terminates. It may well be\nthat ``snx`` accepts further commands on that socket, e.g., for renewing\nthe authentication after the VPN timeout has expired. We log the binary\ndata received on that socket to the file ``snxanswer`` if debugging is\nenabled.\n", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/schlatterbeck/snxvpn", "keywords": "", "license": "BSD License", "maintainer": "", "maintainer_email": "", "name": "snxvpn", "package_url": "https://pypi.org/project/snxvpn/", "platform": "Linux", "project_url": "https://pypi.org/project/snxvpn/", "project_urls": { "Homepage": "https://github.com/schlatterbeck/snxvpn" }, "release_url": "https://pypi.org/project/snxvpn/1.2/", "requires_dist": null, "requires_python": "", "summary": "Command-line utility to connect to a Checkpoint SSL VPN ", "version": "1.2" }, "last_serial": 3207808, "releases": { "1.0": [ { "comment_text": "", "digests": { "md5": "21a6b8b32fedb05015c9132239e371eb", "sha256": "82021f23e3b24c23706e0eb79081a3eff30c467cd313b9473fe9d49aeca18b11" }, "downloads": -1, "filename": "snxvpn-1.0.tar.gz", "has_sig": false, "md5_digest": "21a6b8b32fedb05015c9132239e371eb", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 13905, "upload_time": "2017-06-24T19:29:43", "url": "https://files.pythonhosted.org/packages/d0/24/060b2a40a85e9a1beca938c53da24ef2eb62d53b5e16b25b7c858e73b73c/snxvpn-1.0.tar.gz" } ], "1.1": [ { "comment_text": "", "digests": { "md5": "981aba8e6911b3003c51ab9c4eb02916", "sha256": "04dc1af016454e1bd91f6bc3e26ad8e726e8f48cc8672b21c8f8286572b54c79" }, "downloads": -1, "filename": "snxvpn-1.1.tar.gz", "has_sig": false, "md5_digest": "981aba8e6911b3003c51ab9c4eb02916", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15328, "upload_time": "2017-07-05T05:42:10", "url": "https://files.pythonhosted.org/packages/9f/cf/84bff6c6887860a189be8002563fa1350be8bccd29bc45634a5e2028bb9e/snxvpn-1.1.tar.gz" } ], "1.2": [ { "comment_text": "", "digests": { "md5": "b4486e7d974112c905f2058d5801b454", "sha256": "76667903e5329f522c4b770054ecc273e22912d5cce27e004fcd8d15f0a98380" }, "downloads": -1, "filename": "snxvpn-1.2.tar.gz", "has_sig": false, "md5_digest": "b4486e7d974112c905f2058d5801b454", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15519, "upload_time": "2017-09-27T17:30:33", "url": "https://files.pythonhosted.org/packages/87/6b/e8557ecb712351488f4d08d68a3e926c1b5f03aecadb6513c27979bb8dee/snxvpn-1.2.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "b4486e7d974112c905f2058d5801b454", "sha256": "76667903e5329f522c4b770054ecc273e22912d5cce27e004fcd8d15f0a98380" }, "downloads": -1, "filename": "snxvpn-1.2.tar.gz", "has_sig": false, "md5_digest": "b4486e7d974112c905f2058d5801b454", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 15519, "upload_time": "2017-09-27T17:30:33", "url": "https://files.pythonhosted.org/packages/87/6b/e8557ecb712351488f4d08d68a3e926c1b5f03aecadb6513c27979bb8dee/snxvpn-1.2.tar.gz" } ] }