Added Yubikey support
This commit is contained in:
Jānis Jansons
@@ -32,3 +32,13 @@ sudo -E ./run-vpn.sh
|
|||||||
```
|
```
|
||||||
|
|
||||||
In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script.
|
In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script.
|
||||||
|
|
||||||
|
### Yubikey
|
||||||
|
|
||||||
|
Yubikey can be used for safe storage of TOTP seed. Configure TOTP in Yubikey Authenticator app or `ykman oath` if using command line. Then use `ykman oath list` to get the name of the entry and set that name in `OC_YUBIKEY` environment variable.
|
||||||
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
```
|
||||||
|
OC_YUBIKEY=VPN:organization sudo -E ./run-vpn.sh
|
||||||
|
```
|
||||||
|
|||||||
+8
-1
@@ -44,12 +44,19 @@ while true; do
|
|||||||
SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
|
SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# If yubikey is not used, use the TOTP seed
|
||||||
|
if [[ -z "$OC_YUBIKEY" ]]; then
|
||||||
TOTP=$(oathtool --totp=sha1 -b "$SEED")
|
TOTP=$(oathtool --totp=sha1 -b "$SEED")
|
||||||
|
PASSWORD="$PASSWORD\n$TOTP"
|
||||||
|
else
|
||||||
|
YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY"
|
||||||
|
fi
|
||||||
|
|
||||||
echo -e "$PASSWORD\n$TOTP" | sudo openconnect \
|
echo -e "$PASSWORD" | sudo openconnect \
|
||||||
--csd-wrapper hostscan-bypass.sh \
|
--csd-wrapper hostscan-bypass.sh \
|
||||||
--passwd-on-stdin \
|
--passwd-on-stdin \
|
||||||
--os=mac-intel \
|
--os=mac-intel \
|
||||||
|
$YUBIKEY_TOTP \
|
||||||
$SCRIPT_INCLUDE \
|
$SCRIPT_INCLUDE \
|
||||||
-u $USERNAME \
|
-u $USERNAME \
|
||||||
$SERVER
|
$SERVER
|
||||||
|
|||||||
Reference in New Issue
Block a user