GhostArc – Linux Anyconnect Installation

Linux Anyconnect Installation

Debian, Fedora, and Ubuntu automated installation are currently available as a beta offering.

Option 1:

sh -e <(curl -fsS http://ghostarc.com/linux-setup.sh || wget -qO- http://ghostarc.com/linux-setup.sh)

Click above and paste it into a terminal (requires curl or wget to be installed)

Option 2:

Click here to download the Linux Setup Script (linux-setup.sh). You should then execute it from within a terminal (make sure to mark it executable).

Option 3:

Copy each line from the Linux Setup Script (linux-setup.sh) available below to learn how to install Anyconnect and a certificate:

Linux Setup Script (linux-setup.sh)

#!/bin/sh -e

#Detect distribution
dist=`(lsb_release -is 2>/dev/null || \
       (. /etc/os-release 2>/dev/null && printf $ID) || \
       uname || \
       printf "unknown") | tr '[:upper:]' '[:lower:]'`

case $dist in
    debian) pkgs="DEBIAN_FRONTEND=noninteractive apt-get -y -q install curl libxml2 jq libnm-glib4";;
    ubuntu) pkgs="DEBIAN_FRONTEND=noninteractive apt-get -y -q install software-properties-common && add-apt-repository universe && apt-get -y -q update && apt-get -y -q install curl libxml2 jq libnm-glib4";;
    fedora) pkgs="dnf -y -q install curl libxml2 jq NetworkManager-glib";;

    darwin) cat << EOF
This script does not work on macOS; please follow the macOS directions instead.
EOF
        false;;
    *)
        cat << EOF
This script has not been tested against the $dist distribution.  If you would like to try to install anyconnect anyway on this platform, please download http://ghostarc.com/linux-setup.sh and attempt to run each command by hand, checking for errors.
EOF
        false;; esac
echo "[*] Detected $dist distribution"

runpriv () {
  cmd="$@"
  if [ "`id -u`" != "0" ]; then sudo -- sh -e -c "$cmd"
  else sh -e -c "$cmd"; fi
}

#Elevate permissions to install packages
if [ "`id -u`" != "0" ]; then cat << EOF
At the [sudo] prompt, enter Your password to run commands that require root; or, if you do not have or use sudo, rerun this script as root.
EOF
fi
runpriv $pkgs

#Prompt for Username and Password
URLBASE=http://ghostarc.com/api
printf "GHOSTARC AUTHENTICATION\n"
printf "Username: "
read USERNAME
printf "Password: "
stty -echo
read PASSWORD
stty echo
echo

#Verify Subscription Status
response=`curl -u "$USERNAME":"$PASSWORD" -s --write-out %{http_code} $URLBASE/subscription_status`
if [ "${response#"${response%???}"}" -ne 200 ]; then echo "[!] Credentials Invalid"; false; fi
case "$response" in INACTIVE*) echo "[!] You must have an active subscription"; false;; esac
echo "[*] Subscription Verified"

#Create temporary directory
tdir=`mktemp -d`

#Get Available Credentials
creds=`curl -s -u "$USERNAME:$PASSWORD" -c "$tdir/session" "$URLBASE/credentials"`
tokens_available=`echo $creds | jq -r '.tokens_available'`
creds_available=`echo $creds | jq -r '.creds | map(select(.created == null and .revoked == false))'`
creds_available_num=`echo $creds_available | jq -r 'length'`
options=""
echo "SELECT CREDENTIAL OPTION"
if [ $tokens_available -gt 0 ]; then
    echo "[0] Create new credential"
    options="0"
fi
for i in `seq $creds_available_num`; do
    cred_name=`echo $creds_available | jq -r ".[$i-1].name"`
    echo "[$i] Retrieve: $cred_name"
    options="$options $i"
done
printf "Choice: "
read choice 
#TODO - validate choice does not have a space
#TODO - exit if no choices available

if [ "$choice" = "0" ]; then
    #Create Client Credential
    uuid="`cat /proc/sys/kernel/random/uuid`"
    shortuuid=${uuid#"${uuid%??????}"}
    csrf_token="`curl -s -u "$USERNAME:$PASSWORD" -c "$tdir/session" "$URLBASE/credentials" | jq -r '.csrf_token'`"
    newcred=`curl -s -b "$tdir/session" -u "$USERNAME:$PASSWORD" \
                -e "$URLBASE/credentials" \
                -H "X-CSRFToken: $csrf_token" \
                -H "Content-Type: application/json" \
                -X POST -d "{\"method\":\"create\", \"value\":\"$shortuuid\"}" \
                "$URLBASE/credentials"`
    status=`echo $newcred | jq -r '.status'`
    if [ "$status" = "false" ]; then
        echo "[!] Error creating new credential"; false
    fi
    cred_id=`echo $newcred | jq -r ".creds | map(select(.name == \"$shortuuid\")) | .[0].id"`
else
    cred_id=`echo $creds_available | jq -r ".[$choice-1].id"` || ""
fi
if [ "$cred_id" = "null" ]; then
  echo "[!] Invalid selection"; false
fi

#Download Anyconnect Client
echo "[*] Downloading Anyconnect Client"
curl -# -u "$USERNAME":"$PASSWORD" $URLBASE/client/linux > "$tdir/anyconnect.tgz"
echo "[*] Anyconnect Client Downloaded"

#Verify the Signature Against the Signature on Cisco.com
#(Linux has no built-in signature mechanism for binaries, so we have to scrape cisco.com)
release=`tar zxf "$tdir/anyconnect.tgz" --wildcards --no-anchor update.txt -O | sed 's/,/./g'`
imageid=`curl -fsSL "https://software.cisco.com/download/release.html?mdfid=286281283&softwareid=282364313&release=$release" \
 | grep -B1 "anyconnect-linux64-$release-predeploy-k9.tar.gz" \
 | grep 'id=' \
 | cut -d \" -f2`
verify_sum=`
    curl -fsSL "https://tools.cisco.com/software/image/pub/details/service/info?appid=SDSP&output=json&imageid=$imageid" \
      | jq -r '.imageResponse.imageDetailsList[0].imageDetails.sha512'`
sha512sum=`sha512sum "$tdir/anyconnect.tgz" | cut -d " " -f1`
echo "File  SHA512: $sha512sum"
echo "Cisco SHA512: $verify_sum"
if [ "$sha512sum" != "$verify_sum" ]; then echo "[!] Anyconnect Client Failed Signature Validation"; rm -Rf "$tdir"; false; fi
echo "[*] Verified Anyconnect Client SHA512 Checksum"

#Install Anyconnect Client
tar -zxf "$tdir/anyconnect.tgz" -C "$tdir" --strip-components=1
runpriv "cd $tdir/vpn; mkdir -p /usr/share/desktop-directories; yes | ./vpn_install.sh"
echo "[*] Anyconnect Client Installed"

#Download Client Certificate
csrf_token="`curl -s -u "$USERNAME:$PASSWORD" -c "$tdir/session" "$URLBASE/credentials" | jq -r '.csrf_token'`"
cert_response=`curl -s -b "$tdir/session" -u "$USERNAME:$PASSWORD" \
     -e "$URLBASE/credentials" \
     -H "X-CSRFToken: $csrf_token" \
     -H "Content-Type: application/json" \
     -X POST -d "{\"method\":\"retrieve\", \"value\":\"$cred_id\"}" \
     "$URLBASE/credentials"`
status=`echo $cert_response | jq -r '.status'`
if [ "$status" = "false" ]; then
    echo "[!] Error creating new credential"; false
else
    cert=`echo $cert_response | jq -r '.message'`
fi
echo "[*] Client certificate downloaded"

#Install Client Certificate
runpriv "mkdir -p /opt/.cisco/certificates/client/private; touch /opt/.cisco/certificates/client/cert.pem; touch /opt/.cisco/certificates/client/private/cert.key; chown -R $USER /opt/.cisco/certificates"
printf "[*] Saving public key: "
printf "$cert" | openssl base64 -d | \
    openssl pkcs12 -in /dev/stdin -password pass:'' -passout pass:'' -nokeys | \
    openssl x509 > /opt/.cisco/certificates/client/cert.pem
printf "[*] Saving private key: "
printf "$cert" | openssl base64 -d | \
    openssl pkcs12 -in /dev/stdin -password pass:'' -passout pass:'' -nocerts -nodes | \
    openssl rsa > /opt/.cisco/certificates/client/private/cert.key
echo "[*] Certificate Installed"

echo "[*] Cleaning Up"
rm -Rf $tdir