#!/usr/bin/python
# -*- coding: utf-8 -*-
+# Juniper/Pulse TNCC emulator
+#
+# Copyright © 2015-2018 Russ Dill
+#
+# Author: Russ Dill <russdill@gmail.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public License
+# version 2.1, as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+
import sys
import os
import logging
href="juniper.html">Juniper</a> VPNs, in the same vein as <a
href="csd.html">Cisco's CSD</a> and <a href="hip.html">GlobalProtect's
HIP</a>. It is also used by the <a href="pulse.html">Pulse Secure</a>
-protocol but support it in Pulse is not included in OpenConnect yet.</p>
+protocol but support for running it with the Pulse protocol is not included
+in OpenConnect yet.</p>
<h3>Background</h3>
<h2>TNCC support in OpenConnect</h2>
-<p>OpenConnect supports running the tncc.jar binary with a little assistance. A Python wrapper
-script, <tt>tncc-wrapper.py</tt>, is provided in the <tt>trojans/</tt> subdirectory of the
-OpenConnect distribution. It can be used
-along with the <tt>tncc-preload.so</tt> from
-<a href="https://github.com/russdill/ncsvc-socks-wrapper">this repository</a>.
-It may also be necessary to pass a Mozilla-compatible user agent string:
+<p>OpenConnect supports running the Java binary, or emulating its
+behaviour, by passing the <tt>--csd-wrapper=SCRIPT</tt> argument
+with a shell script.</p>
+
+<p>The OpenConnect distribution includes <i>two</i> alternative
+scripts to support the execution or emulation of Host Checker, in
+the <tt>trojans/</tt> subdirectory:</p>
+
+<ul>
+ <li><tt>tncc-wrapper.py</tt>: This Python 3.x wrapper script runs the actual <tt>tncc.jar</tt> binary,
+ with a little assistance. Running this wrapper requires you to build <tt>tncc-preload.so</tt> from
+ <a href="https://github.com/russdill/ncsvc-socks-wrapper">russdill/ncsvs-socks-wrapper on GitHub</a>.
+ Because of the security dangers of executing a server-provided trojan binary, this script should ideally be executed
+ with the permissions of a low-privilege user (e.g. <tt>--csd-user=nobody</tt>).</li>
+
+ <li><p><tt>tncc-emulate.py</tt>: This Python 3.x script does <b>not</b> actually run the <tt>tncc.jar</tt> binary.
+ Instead, it <i>emulates</i> the behaviour of the <tt>tncc.jar</tt> binary, rather than actually
+ executing it. Because this script does not actually execute a server-provided binary, security concerns are greatly
+ alleviated. However, it may require customization to work with VPNs that have modified
+ the behaviour of their Host Checker binaries in some way; consult its source code for details.</p>
+
+ <p>This script is based entirely on <a href="https://github.com/russdill/juniper-vpn-py"><tt>tncc.py</tt>
+ from russdill/juniper-vpn-py on GitHub</a>.)</p></li>
+</ul>
+
+<p>With either of these sripts, it may also be necessary to pass a Mozilla-compatible user agent string:</p>
<pre>
./openconnect --protocol=nc --useragent 'Mozilla/5.0 (Linux) Firefox' --csd-wrapper=trojans/tncc-wrapper.py vpn.example.com
</pre>
-Because of the security dangers of executing a server-provided trojan binary, this script should ideally be executed
-with the permissions of a low-privilege user (e.g. <tt>--csd-user=nobody</tt>).
-</p>
-
-<p>Alternatively, the <a href="https://github.com/russdill/juniper-vpn-py">juniper-vpn-py</a> project provides a
-<tt>tncc.py</tt> which <i>emulates</i> the behaviour of the <tt>tncc.jar</tt> binary, rather than actually
-executing it. Because this script does not actually execute a server-provided binary, security concerns are greatly
-alleviated. However, this alternative script may require customization to work with VPNs that have modified
-the behaviour of their Host Checker binaries in some way.
-</p>
-
<INCLUDE file="inc/footer.tmpl" />
</PAGE>
projects / users / dwmw2 / openconnect.git / commitdiff