how to store server key permanently? openconnect

S

5

10

Is there a way to store the server key after a successful connection, the way ssh does?

No matter how many times I connect, I have to always type "yes" to accept the server key. I wish it would be accepted and stored forever.

###############################
amir@amirpc:~$ sudo openconnect uk.cisadd.com -u myusername
POST https://uk.cisadd.com/
Attempting to connect to server xxx.xxx.xxx.xxx:443
SSL negotiation with uk.cisadd.com
Server certificate verify failed: signer not found

Certificate from VPN server "uk.cisadd.com" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: 

Connected to HTTPS on XXX.XXX.XXX.XXX
###############################

can write bash script to run openconnect and escape yes?

Stebbins answered 29/6, 2015 at 10:23 Comment(1)

Perhaps --no-cert-check ? But the fact that your server certificate verification fails is worrying – Rete 29/6, 2015 at 10:28

A

9

best way is first time you login into server save your --servercert in clipboard like this

echo "password" | sudo openconnect  -u username  uk2.cisadd.com --servercert sha25:xxxxxxx

Abroad answered 25/10, 2017 at 22:20 Comment(0)

N

7

I bet you can do that with the option --no-cert-checkor having a valid SSL cert:

sudo openconnect --no-cert-check uk.cisadd.com -u myusername

Nad answered 29/6, 2015 at 10:28 Comment(2)

Using openconnect v7.08, it seems they've removed the --no-cert-check option: The --no-cert-check option was insecure and has been removed. – Diocese 21/2, 2017 at 21:45

So you need now a valid certificate – Nad 23/2, 2017 at 9:20

M

2

You can use --no-cert-check if you don't care having your traffic decrypted. Otherwise use --servercert=FINGERPRINT where FINGERPRINT is the "Server key hash" as displayed in the certificate information.

Morphosis answered 14/6, 2016 at 18:52 Comment(1)

The --no-cert-check option is no longer supported. – Rebato 21/2, 2020 at 19:29

H

1

I ran into the same problem on OpenWRT and my solution was to install the 'ca-certificates' package.

# opkg install ca-certificates

Once I did this, openconnect stopped flagging 'signer not found'.

The benefit of this solution is that you're using the intended certificates and limiting your chances of compromising your network.

Hydrocellulose answered 9/1, 2017 at 1:55 Comment(0)

D

1

There is no longer --no-cert-check option in openconnect version 7.0.6 onward. In this way, I did the following procedure to bypass this problem as a shell script:

Firstly, you need the server certification and you can find it as follows:

echo <password> | sudo openconnect <hostname> --user=<username> --passwd-on-stdin --no-dtls

Then you have to find --servercert value from the intended output like this:

...
SSL negotiation with xxxxxxx
Server certificate verify failed: signer not found

Certificate from VPN server "xxxxxxx" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx  <--- Here it is
Enter 'yes' to accept, 'no' to abort; anything else to view: fgets (stdin): Operation now in progress

Finally, after copying the certification code you can write your bash script as follows:

echo <password> | sudo openconnect <hostname> --user=<username> --passwd-on-stdin --no-dtls --servercert pin-sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Dissenter answered 8/6, 2021 at 11:9 Comment(0)

Recommended topics

Hot tags