Aladdin eToken 5110 with Cisco VPN and Gentoo

Using openconnect, GnuTLS and SafeNet

Kommentieren Jun 14 2020 .txt, .json, .md

After some tinkering I finally got a SafeNet eToken 5110 Token-Based Authentication connecting to a Cisco VPN working.

My case is a pre configured and PIN protected hardware token which is needed to connect to a private VPN. If you want to create or modify such a token, your are wrong here.

Problems

Latest SafeNet Software and a old hardware token did not work. I was only able to use an older SafeNet software and the 5110 hardware token.
Existing ebuilds did not work well. But I ended up doing most of the stuff this ebuild does.

Hardware

SafeNet eToken 5110 Token-Based Authentication

lsusb output Bus 001 Device 009: ID 0529:0620 Aladdin Knowledge Systems Token JC

Software

Gentoo with kernel version 5.4.38-gentoo no-multilib
SafeNetAuthenticationClient-9.0.43-0_amd64.deb

Following packages with the latest stable version available as of this writing.

net-libs/gnutls USE="cxx idn nls openssl pkcs11 seccomp tls-heartbeat tools"
sys-apps/pcsc-lite  USE="policykit udev"
sys-apps/pcsc-tools
net-vpn/openconnect USE="gnutls nls"
dev-libs/opensc USE="pcsc-lite readline ssl zlib"

Setup

Since I do not use an ebuild I write down the files I’ve copied to make a uninstall easier.

After installing the required packages create en empty folder in which you store all the SafeNet and vpn stuff. Download the .deb package and place this in this new folder.

Unpack the deb file with ar x filename.deb. You only need the data.tar.gz file. Unpack it with tar -xvf data.tar.gz.

Change into lib and create symlinks like this:

lrwxrwxrwx  libcardosTokenEngine.so -> libcardosTokenEngine.so.9.0.43
lrwxrwxrwx  libcardosTokenEngine.so.9 -> libcardosTokenEngine.so.9.0.43
lrwxrwxrwx  libcardosTokenEngine.so.9.0 -> libcardosTokenEngine.so.9.0.43
-rwxr-xr-x    libcardosTokenEngine.so.9.0.43
lrwxrwxrwx  libeTokenHID.so -> libeTokenHID.so.9.0.43
lrwxrwxrwx  libeTokenHID.so.9 -> libeTokenHID.so.9.0.43
lrwxrwxrwx  libeTokenHID.so.9.0 -> libeTokenHID.so.9.0.43
-rwxr-xr-x    libeTokenHID.so.9.0.43
lrwxrwxrwx  libeToken.so -> libeToken.so.9.0.43
lrwxrwxrwx  libeToken.so.9 -> libeToken.so.9.0.43
lrwxrwxrwx  libeToken.so.9.0 -> libeToken.so.9.0.43
-rwxr-xr-x    libeToken.so.9.0.43
lrwxrwxrwx  libeTPkcs11.so -> libeToken.so.9.0.43
lrwxrwxrwx  libetvTokenEngine.so -> libetvTokenEngine.so.9.0.43
lrwxrwxrwx  libetvTokenEngine.so.9 -> libetvTokenEngine.so.9.0.43
lrwxrwxrwx  libetvTokenEngine.so.9.0 -> libetvTokenEngine.so.9.0.43
-rwxr-xr-x    libetvTokenEngine.so.9.0.43
lrwxrwxrwx  libiKeyTokenEngine.so -> libiKeyTokenEngine.so.9.0.43
lrwxrwxrwx  libiKeyTokenEngine.so.9 -> libiKeyTokenEngine.so.9.0.43
lrwxrwxrwx  libiKeyTokenEngine.so.9.0 -> libiKeyTokenEngine.so.9.0.43
-rwxr-xr-x    libiKeyTokenEngine.so.9.0.43
lrwxrwxrwx  libSACLog.so -> libSACLog.so.9.0.43
lrwxrwxrwx  libSACLog.so.9 -> libSACLog.so.9.0.43
lrwxrwxrwx  libSACLog.so.9.0 -> libSACLog.so.9.0.43
-rwxr-xr-x    libSACLog.so.9.0.43
lrwxrwxrwx  libSACUI.so -> libSACUI.so.9.0.43
lrwxrwxrwx  libSACUI.so.9 -> libSACUI.so.9.0.43
lrwxrwxrwx  libSACUI.so.9.0 -> libSACUI.so.9.0.43
-rwxr-xr-x    libSACUI.so.9.0.43

Now you can copy those files and symlinks to /usr/lib64/ with cp -av. Only the lib files are needed. Copy the binaries from usr/bin/ to /usr/bin/.

Create the following folder mkdir -p /usr/lib64/readers/usb/ and copy usr/share/eToken/drivers/aks-ifdh.bundle with cp -avR into it. Change into /usr/lib64/readers/usb/aks-ifdh.bundle/Contents/Linux/ and make sure the files look like this:

lrwxrwxrwx  libAksIfdh.so -> libAksIfdh.so.9.0
lrwxrwxrwx  libAksIfdh.so.9 -> libAksIfdh.so.9.0
-rwxr-xr-x    libAksIfdh.so.9.0

Now make sure the binaries can be executet and all the files have the correct ownership.

Create the file eToken.module in /etc/pkcs11/modules/ and place the following content in it: module: /usr/lib64/libeTPkcs11.so

Create or use this init script for starting /usr/bin/SACSrv in /etc/init.d/.

Now start the needed deamons and the right order:

/etc/init.d/pcscd start
/etc/init.d/SACSrc start

After that a pcsc_scan should show your token (output modified). You need to stop the command to end it:

Scanning present readers...
0: AKS ifdh [eToken 5110 SC] 00 00

 Reader 0: AKS ifdh [eToken 5110 SC] 00 00
  Event number: 0
  Card state: Card inserted, Shared Mode,
  ATR: 3B D5 18 00 81 31 FE 7D 80 73 C8 21 10 F4

ATR: 3B D5 18 00 81 31 FE 7D 80 73 C8 21 10 F4
+ TS = 3B --> Direct Convention
+ T0 = D5, Y(1): 1101, K: 5 (historical bytes)

Now comes the fun part. Finding the right value for openconnect.

Run p11tool --list-tokens to get the URL for your token. Should look like this.

Token 1:
	URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=0000000;token=some-label
	Label: some-label
	Type: Hardware token
	Flags: RNG, Requires login
	Manufacturer: SafeNet, Inc.
	Model: eToken
	Serial: 0000000
	Module: /usr/lib64/libeTPkcs11.so

Use the above URL with the next command: p11tool --login --list-all-certs 'pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=0000000;token=some-label'. It should list all the available certs and prompt you for a PIN. In my case there is only one:

Object 0:
	URL: pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=0000000;token=some-label;id=%25%43%64%32%F7%B1%AE%C7;object=%7B7e206816-cdce-4360-ae64-ea65c3277523%7D;type=cert
	Type: X.509 Certificate (RSA-1024)
	Expires: Mon May 29 09:43:02 2023
	Label: {7e206816-cdce-4360-ae64-ea65c3277523}
	ID: 25:43:64:32:f7:b1:ae:c7

This URL from the Object is the URL which is needed for the openconnect command:

openconnect -c 'pkcs11:model=eToken;manufacturer=SafeNet%2C%20Inc.;serial=0000000;token=some-label;id=%25%43%64%32%F7%B1%AE%C7;object=%7B7e206816-cdce-4360-ae64-ea65c3277523%7D;type=cert' https://endpoint.url

This should trigger the PIN input and then your usename and password.

POST https://endpoint.url
Connected to 1.1.1.1:443
PIN required for some-label
Enter PIN:
Using client certificate 'some-label'
SSL negotiation with endpoint.url
Connected to HTTPS on endpoint.url with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
POST https://endpoint.url
SSL negotiation with endpoint.url
Connected to HTTPS on endpoint.url with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
XML POST enabled
Please enter your username and password.
Username:
Password:
POST https://endpoint.url
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as 1.1.1.225, using SSL, with DTLS in progress
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-RSA)-(AES-256-GCM).

Done. You are now connected. To end the connection simple press Ctrl+C and make sure no openconnect process is running.