csd-wrapper.sh

#!/bin/bash
# description: Cisco Anyconnect CSD wrapper for OpenConnect
# author: https://github.com/asarkar/
# gist: https://gist.github.com/asarkar/fb4452a4abdf9e4a9752a7d55d2cdc93
# connect: sudo openconnect --background \
# --user=<username> \
# --authgroup=1 \
# --csd-user=<localhost username> \
# --csd-wrapper=<script location on localhost> \
# --os=mac-intel \
# https://<server>[:port][/group]
# disconnect: sudo pkill openconnect
# OR if you don't have pkill
# sudo kill -SIGTERM $(ps aux | awk '/openconnect/ && !/awk/ {print $2}')

if [ -z ${SUDO_COMMAND+x} ]; then
  printf "Please define CSD_HOSTNAME"
  exit 1
fi

CMD=($SUDO_COMMAND)
URL=${CMD[@]: -1}
NUM_SLASH=$(echo "$URL" | awk -F/ '{print NF-1}')
if (( NUM_SLASH > 2 )); then # URL contains group
  CSD_HOSTNAME=$(dirname "$URL")
else
  CSD_HOSTNAME=$URL
fi

# parse command line
shift

URL=
TICKET=
STUB=
GROUP=
CERTHASH=
LANGSELEN=

while [ "$1" ]; do
    if [ "$1" == "-ticket" ];   then shift; TICKET=$1; fi
    if [ "$1" == "-stub" ];     then shift; STUB=$1; fi
    if [ "$1" == "-group" ];    then shift; GROUP=$1; fi
    if [ "$1" == "-certhash" ]; then shift; CERTHASH=$1; fi
    if [ "$1" == "-url" ];      then shift; URL=$1; fi
    if [ "$1" == "-langselen" ];then shift; LANGSELEN=$1; fi
    shift
done

case $(uname) in
  Darwin)
    ARCH="darwin_x64"
  ;;
  linux)
    ARCH=$(uname -m)
    if [[ "$ARCH" == "x86_64" ]]; then
      ARCH="linux_x64"
    else
      ARCH="linux_i386"
    fi
  ;;
esac

HOSTSCAN_DIR="$HOME/.cisco/hostscan"
LIB_DIR="$HOSTSCAN_DIR/lib"
BIN_DIR="$HOSTSCAN_DIR/bin"

# create dirs
for dir in $HOSTSCAN_DIR $LIB_DIR $BIN_DIR ; do
    if [[ ! -d $dir ]]; then
        printf "Creating dir: %s\n" "$dir"
        mkdir -p "$dir"
    fi
done

# download manifest
curl -kLsS "$CSD_HOSTNAME/CACHE/sdesktop/hostscan/$ARCH/manifest" -o "$HOSTSCAN_DIR/manifest"

case $(uname) in
  Darwin)
    SED="sed -E";
  ;;
  *)
    SED="sed -r";
  ;;
esac;

${SED} 's/\(|\)//g' "$HOSTSCAN_DIR/manifest" | cut -d " " -f 2,4 | \
while read -r line; do
  read -ra TOKENS <<< "$line"
  FOUND=$(find "$HOSTSCAN_DIR" -name "${TOKENS[0]}" -exec md5 -rq {} \; | grep "${TOKENS[1]}")
  if [[ -z "$FOUND" ]]; then
    DEST_DIR=
    if [[ "${TOKENS[0]}" = *.dylib ]]; then
      DEST_DIR="$LIB_DIR"
    else
      DEST_DIR="$BIN_DIR"
    fi
    FILE_URL="$CSD_HOSTNAME/CACHE/sdesktop/hostscan/$ARCH/${TOKENS[0]}"
    printf "Downloading %s to %s\n" "${TOKENS[0]}" "$DEST_DIR"
    if curl -o /dev/null -ks --head --fail "$FILE_URL"; then
      curl -kLsS "$FILE_URL" -o "$DEST_DIR/${TOKENS[0]}"
    else
      curl -o - -kLsS "$FILE_URL.gz" | gunzip > "$DEST_DIR/${TOKENS[0]}"
    fi
  else
    printf "%s already exists\n" "${TOKENS[0]}"
  fi
done

chmod -R u+x "$BIN_DIR"

ARGS="-log error -ticket $TICKET -stub $STUB -group $GROUP -host $URL -certhash $CERTHASH"

rm -rf "$HOSTSCAN_DIR/log"
printf "Launching: %s/cstub %s\n" "$BIN_DIR" "$ARGS"
"$BIN_DIR/cstub" $ARGS

Hi there, I was hoping to find a script like this to satisfy my configuration, but I received this error after attempting to connect:

curl: (3) URL using bad/illegal format or missing URL sed: /Users/Matt/.cisco/hostscan/manifest: No such file or directory /Users/Matt/csd-wrapper.sh: line 117: /Users/Matt/.cisco/hostscan/bin/cstub: No such file or directory HIP script '/Users/Matt/csd-wrapper.sh' returned non-zero status: 127 Creating SSL connection failed

Do you have any ideas? I already gave the script execution rights.

Hey @mcthomas
It seems like this line https://gist.github.com/asarkar/fb4452a4abdf9e4a9752a7d55d2cdc93#file-csd-wrapper-sh-L77 failed. You may want to enable verbose logging for curl and see what's going on.

I no longer use this script since IT has now enabled automatic session reconnect for the desktop installer, which is the gap this script used to fill.

Thanks for the quick response. I'll see what I can do.

@mcthomas wrote:

HIP script '/Users/Matt/csd-wrapper.sh' returned non-zero status: 127

This error message (HIP) suggests you're trying to use csd-wrapper.sh with a GlobalProtect VPN, which makes no sense. It's intended only to work with Cisco AnyConnect VPNs. See our upstream docs for the correct script to use with GP/HIP.

@dlenski

@mcthomas wrote:

HIP script '/Users/Matt/csd-wrapper.sh' returned non-zero status: 127

This error message (HIP) suggests you're trying to use csd-wrapper.sh with a GlobalProtect VPN, which makes no sense. It's intended only to work with Cisco AnyConnect VPNs. See our upstream docs for the correct script to use with GP/HIP.

Thank you for your response. I had moved past this issue, and I should’ve left an update here. But you are correct, thank you.

When I launch the script I get a message:
"cstub" will damage your computer. You should move it to the trash

And it does not let you continue, there is no option in "privacy and security" to activate the script as safe and allow its execution.

MAC version: Ventura 13.2.1

Is there a possibility to mark the script as safe for its execution?

Thank you so much

Hi, I run openconnect to company aynconnect using the csd-wapper.sh script, but got some error:

POST https://vpn.corp.xxxxx.com/
Connected to  xxxx:443

Connected to HTTPS on xxxvpn.corp.xxx.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Trying to run CSD Trojan script '/Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh'.
execute CSD script /Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh failed
CSD script '/Users/jackzhang/dev/xxx/fb4452a4abdf9e4a9752a7d55d2cdc93/csd-wrapper.sh' returned non-zero status: 1
Authentication may fail. If your script is not returning zero, fix it.
Future versions of openconnect will abort on this error.

Is that mean I didn't define CSD_HOSTNAME?

Thank you so much