Explain `openconnect` w/ password manager

[kousu]

https://intranet.neuro.polymtl.ca/computing-resources/computing-resources-neuropoly#vpn is currently implying you should keep your VPN password (which is also your CAS, eduroam, HR, moodle, ... password) in plaintext.

A better script is for mac users is

#!/bin/bash
# vpn.sh
​
set -eo pipefail
​
USER="<YOUR_CAS_USERNAME>"
PASS="$(security find-generic-password -a "${USER}" -s poly-vpn -w)"
GROUP=PolySSL # or PolyInvites, depending on your account's status
echo -n "$PASS" | sudo openconnect -u "$USER" --authgroup "$GROUP" --passwd-on-stdin ssl.vpn.polymtl.ca

However this needs to be used in tandem with

 security add-generic-password -a "${USER}" -s poly-vpn -w

(tips first discovered over in https://github.com/neuropoly/computers/pull/172)

Ideally we'd also cover enough common password managers that anyone can copy-paste for what they use. In

https://github.com/neuropoly/computers/blob/266b179ab400d04dc800854468022ef0be504755/ansible/.vaultpass#L14-L18

I listed

• pass
• lastpass
• bitwarden
• macOS keychain

Fix up this page to make sense for everyone.

[kousu]

Tagging @taowa and @joshuacwnewton because ..you were keen. Maybe? Tips on how to phrase this?

[kousu]

While we're at it, https://www.purdue.edu/science/scienceit/mac-vpn-openconnect.html suggests saving the typing everytime you turn on the VPN with

sudo tee -a /etc/sudoers <<EOF
%admin  ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
EOF

but that too has to shift subtly depending on os/distro. e.g. on Linux I would do

[kousu@requiem ~]$ sudo tee /etc/sudoers.d/openconnect <<EOF
> $USER  ALL=(ALL) NOPASSWD: /usr/bin/openconnect
> EOF
[sudo] password for kousu: 
kousu  ALL=(ALL) NOPASSWD: /usr/bin/openconnect
[kousu@requiem ~]$ 

or

[kousu@requiem ~]$ sudo tee /etc/sudoers.d/openconnect <<EOF
> %wheel  ALL=(ALL) NOPASSWD: /usr/bin/openconnect
> EOF
[sudo] password for kousu: 
%wheel  ALL=(ALL) NOPASSWD: /usr/bin/openconnect
[kousu@requiem ~]$ 

[kousu]

@taowa pointed out that security might not be much better than just writing the password into the script in the first place:

you'd then have to be giving the security command access, which means any application on the terminal could access the password

which seems..right. Is that right? Surely Apple has thought this through somehow, right? Is Keychain tied to TouchID or something?

pass (which I use) behaves like sudo: it unlocks for a while then times out and you have to reenter a top level password to use it the next time.

[joshuacwnewton]

To be honest... I'm sort of bad about this, myself. I do use Bitwarden, but I haven't yet put in the time to figure out how to get it to "just work" via the command line without having to put my bitwarden PW every time... I see threads like this one and then start to feel like life's too short to do all that work for one password. The integration definitely feels worse compared to macOS.

So... yeah, right now I'm hardcoding my VPN username/password into the script. :v

If we really want to discourage this, then I feel like it might actually be less effort (at least for folks on linux) to go through the motions of memorizing this one password, vs. setting up a password manager to be used via the command line. (Since, it feels likely that this would be the only PW that someone's going to be inputting via the command line... the benefits of jumping through those technical hoops probably isn't worth it.)

[taowa]

Joshua Newton, 2021-11-03 16:57 -0400:

If we really want to discourage this, then I feel like it might actually be less effort to go through the motions of memorizing this one password, vs. setting up a password manager to be used via the command line. (Since, it feels likely that this would be the only PW that someone's going to be inputting via the command line... the benefits of jumping through those technical hoops probably isn't worth it.)

I'm... on the fence between "we should be telling people to memorize their pMatricule and password because they will need it for everything they do at Poly" and "their computers are storing it anyway, why not just pull it from wherever it's stored." I think we should give people the choice like this:

The VPN should be set to require your password on each connection. 

[Instructions to have it prompt.] 

And then have an "advanced users (password manager or plain text storage)" drop down or something and hide:

You VPN password can also be stored in plain text (not recommended) or in your password manager.

# to use your password manager, remove the # at the beginning of the
# next line and specify the command needed to access your password.
# an example for the macOS keychain is below:
# VPN_PASSWORD_CMD=security [...]

# to use a plaintext password (not recommended), replace [VPN password] with your VPN password
# VPN_PASSWORD_CMD='echo -n [VPN password]'

[...]

VPN_PASSWORD_CMD | sudo openconnect [...]

• tr

[alexfoias]

The official way of connecting is listed here: https://www.polymtl.ca/si/acces-securise-rvp-ou-vpn

Not sure if we want to offer support for a different way on connecting to the VPN.

[jcohenadad]

The official way of connecting is listed here: https://www.polymtl.ca/si/acces-securise-rvp-ou-vpn

Not sure if we want to offer support for a different way on connecting to the VPN.

the issue with anyconnect ('official' way) is that AFAIK passwd cannot be added to Keychain

[kousu]

It's also not very linux-friendly. openconnect is supported by people who know Linux better than Cisco.

UMN wrote an entire guide just on installing it (AnyConnect) on linux https://it.umn.edu/services-technologies/how-tos/downloads-guides-install-anyconnect-vpn which includes this "tip":

OTE: Java or an alternative is a pre-requisite and must be installed prior to the AnyConnect installation.