[vox-tech] Using UC Davis vpn with the new Linux client PulseClient?
Bill Broadley
bill at broadley.org
Wed Jun 29 03:57:35 PDT 2016
On 06/27/2016 02:38 PM, Matthieu Stigler wrote:
> Hi
>
> UC Davis does not offer anymore the browser-based vpn entry, so need to
> use the "Pulse client" they provide:
> https://www.lib.ucdavis.edu/ul/services/connect/faq.php
Sort of. They provide a Juniper based VPN solution that multiple
clients work with. Normally linux software is quite secure because it's:
* Compiled with current libraries and compilers
* Is 64 bit (for added page protection)
* In delivered with a package manager (so you get updates)
* Is included via a secure infrastructure
* Uses shared libraries, so you can fix any insecure dependencies
* is open source, follows best practices, etc.
Security critical things running as root and handling security related
duties should be held to the highest possible standards.
Unfortunately the pulse client is the exact opposite. Probably one of
the least secure binaries on your system. The linux pulse client:
* is just a random .deb download
* doesn't include a manifest with checksums
* isn't signed
* is 32 bit
* has known broken/insecure ssl libraries statically compiled in
* doesn't include any way to automatically get/detect available upgrades
* Seems unclear if it's getting any love at all, 32 bit is pretty old,
ancient openssl bindings, and (AFAICT) they are no longer affiliated
with Juniper.
So generally I recommend avoiding pulse if at all possible. The good
news is that OpenConnect:
* Is compatible
* is 64 bit
* is open source
* is delivered by your package manager via secure/signed packages
* will automatically get updates (if turned on), or just apt update;
apt-upgrade
* uses current openssl libraries
* seems to work quite well
Unfortunately it's a bit tricky on older linux boxes, the main problem
is that you need a fairly new openssl to get a library that A) doesn't
have the security hole and B) emulates (securely) the old behavior to be
compatible, but still avoids the security hole.
It pretty much "just works" with ubuntu-16.04. Just run this:
sudo apt install openconnect
sudo /usr/sbin/openconnect --juniper vpn.library.ucdavis.edu
I brought this up with the library and they seem not to care about
security and just want to support the pulse client. They did fix their
SSL cert so you no longer have to blindly trust a random cert you download.
> This could be this bug:
> https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40157/?q=KB40157
>
> But what is strange is that it did work at some point...
I got it to work to verify things, but it was an ugly fragile hack. Try
openconnect, on 12.04 you will likely have to install the newest version
from source and possibly openssl as well.
Might be worth spinning up a ubuntu-16.04 vps/virtualbox/whatever just
to tinker with how it works. Pretty sure the current fedora should work
fine as well. Pretty sure someone mentioned it working on OSX as well.
More information about the vox-tech
mailing list