search

dlenski / gp-saml-gui

Interactively authenticate to GlobalProtect VPNs that require SAML
GNU General Public License v3.0
286 stars 65 forks source link

fgets (stdin): Inappropriate ioctl for device #88

Open piakbt opened 6 months ago

piakbt commented 6 months ago

Hello!

Could you please help me with this? I'm getting error "fgets (stdin): Inappropriate ioctl for device".

The steps are: 1.

$ eval $( gp-saml-gui --portal --clientos=Mac aa1.vpn.mycompany.com -- --csd-wrapper=/usr/libexec/openconnect/hipreport.sh )

Looking for SAML auth tags in response to https://aa1.vpn.mycompany.com/global-protect/prelogin.esp...
Got SAML POST, opening browser...
Traceback (most recent call last):
  File "/home/paul/.local/lib/python3.12/site-packages/gp_saml_gui.py", line 127, in on_load_changed
    ct = h.get_content_type()
         ^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get_content_type'
[PAGE   ] Finished loading page https://mycompany.okta.com/app/panw_globalprotect/exk3s5nzpziXEw98A297/sso/saml
[PAGE   ] Finished loading page https://mycompany.okta.com/login/sessionCookieRedirect
[PAGE   ] Finished loading page https://aa1.vpn.mycompany.com//SAML20/SP/ACS
[SAML   ] Got SAML result headers: {'saml-username': 'mycompany\\mylogin', 'prelogin-cookie': '<token>', 'saml-slo': 'no', 'saml-auth-status': '1'}
[SAML   ] Got all required SAML headers, done.
IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.

SAML response converted to OpenConnect command line invocation:

    echo <token> |
        sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' '--user=mycompany\mylogin' --os=mac-intel --usergroup=portal:prelogin-cookie --passwd-on-stdin aa1.vpn.mycompany.com --csd-wrapper=/usr/libexec/openconnect/hipreport.sh

SAML response converted to test-globalprotect-login.py invocation:

    test-globalprotect-login.py --user='mycompany\mylogin' --clientos=Mac -p '' \
         https://aa1.vpn.mycompany.com/global-protect/getconfig.esp prelogin-cookie=<token>

2.

$ echo <token> |
        sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' '--user=mycompany\mylogin' --os=mac-intel --usergroup=portal:prelogin-cookie --passwd-on-stdin ab1.vpn.mycompany.com --csd-wrapper=/usr/libexec/openconnect/hipreport.sh 

POST https://aa1.vpn.mycompany.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Mac
Connected to 11.111.111.11:443
SSL negotiation with aa1.vpn.mycompany.com
Connected to HTTPS on aa1.vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
POST https://aa1.vpn.mycompany.com/global-protect/getconfig.esp
Portal reports GlobalProtect version 6.1.1-5; we will report the same client version.
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
  bb1.vpn.mycompany.com (bb1.vpn.mycompany.com)
Please select GlobalProtect gateway.
GATEWAY: [bb1.vpn.mycompany.com]:bb1.vpn.mycompany.com
POST https://bb1.vpn.mycompany.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Mac
Connected to 2.22.22.222:443
SSL negotiation with bb1.vpn.mycompany.com
Connected to HTTPS on bb1.vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
prelogin-cookie: 
fgets (stdin): Inappropriate ioctl for device
piakbt commented 6 months ago

This line made me try to connect to the gateway directly: IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.

I do this and I have partial access. One resource is available, others not - so strange.

eval $( gp-saml-gui -S --gateway --clientos=Mac bb1.vpn.mycompany.com -- --csd-wrapper=/usr/libexec/openconnect/hipreport.sh )

Looking for SAML auth tags in response to https://bb1.vpn.mycompany.com/ssl-vpn/prelogin.esp...
Got SAML POST, opening browser...
Traceback (most recent call last):
  File "/home/paul/.local/lib/python3.12/site-packages/gp_saml_gui.py", line 127, in on_load_changed
    ct = h.get_content_type()
         ^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get_content_type'
[PAGE   ] Finished loading page https://mycompany.okta.com/app/panw_globalprotect/exkd9gesu3A19vjY6297/sso/saml
[PAGE   ] Finished loading page https://mycompany.okta.com/login/sessionCookieRedirect
[PAGE   ] Finished loading page https://bb1.vpn.mycompany.com/SAML20/SP/ACS
[SAML   ] Got SAML result tags: {'saml-auth-status': '1', 'prelogin-cookie': '<token>', 'saml-username': 'mylogin@mycompany.com', 'saml-slo': 'no', 'saml-SessionNotOnOrAfter': None}
[SAML   ] Got all required SAML headers, done.

SAML response converted to OpenConnect command line invocation:

    echo <token> |
        sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --user=mylogin@mycompany.com --os=mac-intel --usergroup=gateway:prelogin-cookie --passwd-on-stdin bb1.vpn.mycompany.com --csd-wrapper=/usr/libexec/openconnect/hipreport.sh

SAML response converted to test-globalprotect-login.py invocation:

    test-globalprotect-login.py --user=mylogin@mycompany.com --clientos=Mac -p '' \
         https://bb1.vpn.mycompany.com/ssl-vpn/login.esp prelogin-cookie=<token>

Launching OpenConnect with sudo, equivalent to:
    echo <token> |
        sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' --user=mylogin@mycompany.com --os=mac-intel --usergroup=gateway:prelogin-cookie --passwd-on-stdin bb1.vpn.mycompany.com --csd-wrapper=/usr/libexec/openconnect/hipreport.sh
[sudo] password for paul: 
Enter login credentials
GlobalProtect login returned unexpected argument value arg[21]=AWS-BB1
Please report 1 unexpected values above (of which 0 fatal) to <openconnect-devel@lists.infradead.org>
Did not receive ESP keys and matching gateway in GlobalProtect config; tunnel will be TLS only.
No MTU received. Calculated 1455 for SSL tunnel. No ESP keys received
Set up UDP failed; using SSL instead

I am aware of this issue: https://github.com/dlenski/gp-saml-gui/issues/17 but I'm already using HIP report script.

Could you consider any solution please?

marvinhrivera commented 3 months ago

Hello!

Could you please help me with this? I'm getting error "fgets (stdin): Inappropriate ioctl for device".

The steps are: 1.

$ eval $( gp-saml-gui --portal --clientos=Mac aa1.vpn.mycompany.com -- --csd-wrapper=/usr/libexec/openconnect/hipreport.sh )

Looking for SAML auth tags in response to https://aa1.vpn.mycompany.com/global-protect/prelogin.esp...
Got SAML POST, opening browser...
Traceback (most recent call last):
  File "/home/paul/.local/lib/python3.12/site-packages/gp_saml_gui.py", line 127, in on_load_changed
    ct = h.get_content_type()
         ^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'get_content_type'
[PAGE   ] Finished loading page https://mycompany.okta.com/app/panw_globalprotect/exk3s5nzpziXEw98A297/sso/saml
[PAGE   ] Finished loading page https://mycompany.okta.com/login/sessionCookieRedirect
[PAGE   ] Finished loading page https://aa1.vpn.mycompany.com//SAML20/SP/ACS
[SAML   ] Got SAML result headers: {'saml-username': 'mycompany\\mylogin', 'prelogin-cookie': '<token>', 'saml-slo': 'no', 'saml-auth-status': '1'}
[SAML   ] Got all required SAML headers, done.
IMPORTANT: We started with SAML auth to the portal interface, but received a cookie that's often associated with the gateway interface. You should probably try both.

SAML response converted to OpenConnect command line invocation:

    echo <token> |
        sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' '--user=mycompany\mylogin' --os=mac-intel --usergroup=portal:prelogin-cookie --passwd-on-stdin aa1.vpn.mycompany.com --csd-wrapper=/usr/libexec/openconnect/hipreport.sh

SAML response converted to test-globalprotect-login.py invocation:

    test-globalprotect-login.py --user='mycompany\mylogin' --clientos=Mac -p '' \
         https://aa1.vpn.mycompany.com/global-protect/getconfig.esp prelogin-cookie=<token>
$ echo <token> |
        sudo openconnect --protocol=gp '--useragent=PAN GlobalProtect' '--user=mycompany\mylogin' --os=mac-intel --usergroup=portal:prelogin-cookie --passwd-on-stdin ab1.vpn.mycompany.com --csd-wrapper=/usr/libexec/openconnect/hipreport.sh 

POST https://aa1.vpn.mycompany.com/global-protect/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Mac
Connected to 11.111.111.11:443
SSL negotiation with aa1.vpn.mycompany.com
Connected to HTTPS on aa1.vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
POST https://aa1.vpn.mycompany.com/global-protect/getconfig.esp
Portal reports GlobalProtect version 6.1.1-5; we will report the same client version.
Portal set HIP report interval to 60 minutes).
1 gateway servers available:
  bb1.vpn.mycompany.com (bb1.vpn.mycompany.com)
Please select GlobalProtect gateway.
GATEWAY: [bb1.vpn.mycompany.com]:bb1.vpn.mycompany.com
POST https://bb1.vpn.mycompany.com/ssl-vpn/prelogin.esp?tmp=tmp&clientVer=4100&clientos=Mac
Connected to 2.22.22.222:443
SSL negotiation with bb1.vpn.mycompany.com
Connected to HTTPS on bb1.vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
Enter login credentials
prelogin-cookie: 
fgets (stdin): Inappropriate ioctl for device

I'm having the same issue since a couple of days ago, the same error message at the end "fgets (stdin): Inappropriate ioctl for device" However I played a bit with the parameters and I found out that on Step 2 if I remove --passwd-on-stdin parameter then it will actually go through and authenticate, could you test if this works for you as well?

piakbt commented 3 months ago

Hey @marvinhrivera ! Thanks for the reply. Ah, I get the same error without '--passwd-on-stdin' parameter.