0

I have to re-login to my VPN every time I leave my desk, and it is tedious. I am trying to pass the shell the info but it doesn't get it in the right order. The order is "try to openconnect, enter sudo pw if needed, then username, then password". pexpect would be good, since it can tell if you need your sudo password or not, but isn't working:

#!/usr/bin/env python
# coding: utf-8

import os, sys, subprocess, time, re, pexpect

from my_scripting_library import *

child = pexpect.spawn('sudo openconnect vpn.com')

# send sudo pw
child.expect('.*')
child.sendline(sudopw)

# send sn
child.expect('.*')
child.sendline('cchilders')

# send work pw
child.expect('.*')
child.sendline(vpnpw)
time.sleep(150)

Here is what it looks like when I perform these steps manually:

cchilders:~/scripts/work_scripts [master]$ sudo openconnect vpn.com
[sudo] password for cchilders: 
POST https://vpn.com
Attempting to connect to server 555.555.55.55:555


Please enter your username and password.
Username:
Password:

When I try to feed my sudo password by shell like I have before, the VPN times out and says

SSL negotiation with vpn.com

Server certificate verify failed: certificate does not match hostname

I use

alias vpn='echo $MYPW | sudo -S openconnect vpn.com'

How can I send my sudo password, then my username, then my VPN password all in a row from a shell/python script? Thank you

Community
  • 1
  • 1
codyc4321
  • 9,014
  • 22
  • 92
  • 165
  • 4
    If you already have sudo access, edit your sudoers file (with `visudo`) so you don't have to provide a password for that command: The line will be something like `codyc4321 your_hostname = NOPASSWD: /full/path/to/openconnect` – glenn jackman Feb 02 '16 at 17:04
  • 1
    related: [Using sudo with Python script](http://stackoverflow.com/q/13045593/4279) – jfs Feb 02 '16 at 21:28

1 Answers1

3

Both openconnect and sudo can take password on standard input. So how to do both? Create a script:

#!/bin/sh
password=$(cat /my/very/secure/vpn/password.txt)
echo "$password" | /usr/sbin/openconnect --user codyc4321 --passwd-on-stdin

Now, call the script with sudo:

pw=$(cat /my/very/secure/sudo/password.txt)
echo "$pw" | sudo -S vpn.sh

It goes without saying that passwords stored in text files are dangerous and need to be protected with proper ownership and permissions. Removing the password requirement from sudo as mentioned in the comments would mitigate half the risk, being able to connect to the VPN with a certificate would get rid of the rest.

Edit to add that you are misusing pexpect by telling it to expect .* for all situations. How will it tell if the prompt is from sudo or openconnect? I have zero Python experience, but have used expect before. There are some good examples of how it works in Python.

One last edit to mention that your certificate error is nothing to do with this, and is occurring because you don't have your VPN server's certificate stored in your trusted certificates. Save the server certificate to your local disk and reference it with the --cafile argument to openconnect

miken32
  • 42,008
  • 16
  • 111
  • 154
  • 1
    Thank you, I don't think we're allowed to use certificates anymore. Weird story and I'm not allowed to tell it anyway ;) – codyc4321 Feb 03 '16 at 10:37
  • 1
    Regardless of client certificates, you'll still need to get a copy of the server certificate saved locally if you want to avoid that certificate verification error message. – miken32 Feb 03 '16 at 20:37
  • I will miken I haven't gotten caught up with some other stuff yet – codyc4321 Feb 04 '16 at 23:33