When running pcf2vpnc on a pcf file with an enc_GroupPwd entry, it sends it to http://www.unix-ag.uni-kl.de/~massar/bin/cisco-decode to be decoded. When visiting the site, one finds that http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c may be used to decode it locally, rather than sending it unencrypted across the internet. One can then compile cisco-decrypt, and modify pcf2vpnc to use it to decode the password locally. I created an overlay does just this. It is currently posted at http://www.ucf.ics.uci.edu/~goldsticknt/gentoo/overlays/vpnc-overlay.tar.bz2. Unzip in ${PORTDIR_OVERLAY}/net-misc/. USE="cisco-decrypt" emerge vpnc installs vpnc with the patch, while USE="-cisco-decrypt" installs the same thing the default vpnc-0.3.3 ebuild does.
Created attachment 97623 [details] The overlay I use to allow vpnc to decode the group password in a pcf file locally.
Absolute no clue what installs pcf2vpn. Reopen with ebuild name and version, and attach the files as plaintext, not tarballs.
Knew I was forgetting something important (shrug)... pcf2vpnc is a perl script installed by the vpnc-0.3.3 ebuild Currently, =net-misc/vpnc-0.3.3 is built by upzipping the vpnc-0.3.3.tar.gz tarball found at http://www.unix-ag.uni-kl.de/~massar/vpnc/vpnc-0.3.3.tar.gz, and running make. This is what the ebuild in the portage tree currently does. The next step would normally be run make install, but the ebuild apparantly does this itself. This is taken from ${PORTDIR}/net-misc/vpnc/vpnc-0.3.3.ebuild: src_install() { dobin vpnc vpnc-disconnect pcf2vpnc dodoc ChangeLog README TODO VERSION doman vpnc.8 insinto /etc doins vpnc.conf exeinto /etc/vpnc doexe vpnc-script keepdir /var/run/vpnc } The first line of this function is what installs pcf2vpnc. It eventually finds its way from ${S}/pcf2vpnc to /usr/bin/pcf2vpnc. This script is used to convert a pcf file intended for the cisco vpn client to a conf file suitable for vpnc. This is important because the pcf file includes all the information required to log onto a particular vpn - including the group password. It turns out that sometimes the group password is scrambled before it is written to the pcf. The decodePW function inside pcf2vpnc unscrambles this password, but currently does so by utilizing the cisco-decode website mentioned above. As the algorithm used to unscramble this password is publicly available, and the website is accessed via an unencrypted connection, the group password is sent across the internet cleartext. The user is warned about this, and has a chance to opt out. It seems that it might make more sense to just decode the password locally, and give the user the vpnc.conf file they are looking for. This can be done with a few modifications. First, the source mentioned on the cisco-decode site mentioned above must be downloaded and compiled. It can then be installed in /usr/bin/cisco-decode. I currently use an overlay that does this by adding cisco-decode.c to ${S}. I then modify the Makefile by changing the following: -all : vpnc +all : vpnc cisco-decrypt I also add the following line to the Makefile: cisco-decrypt : cisco-decrypt.c $(CC) -o $@ $^ $(CFLAGS) $LDFLAGS) For completeness, I also modify the install and install-strip targets, even though they apparantly arn't used by the ebuild. pcf2vpnc must then be modified to use cisco-decrypt. The necessary changes are made to the decodePW function (It should be pretty obvious.) All of the above changes are included in vpnc-0.3.3-cisco-decrypt.patch, which I will attach. The only other change required to use this patch is in the ebuild itself. I added IUSE="cisco-decrypt" in the overlay I am using to make this optional on my system. First a few lines are added to src_unpack(): src_unpack() { unpack ${A} cd ${S} epatch ${FILESDIR}/vpnc-iproute-fix-2.diff # Workaround for crappy Makefile sed -i -e "s:CFLAGS=-W -Wall -O:CFLAGS=${CFLAGS}:" Makefile + # cisco-decrypt addition + if use cisco-decrypt ; then + epatch ${FILESDIR}/vpnc-0.3.3-cisco-decrypt.patch + fi } I then modify the dobin line in src_install: src_install() { - dobin vpnc vpnc-disconnect pcf2vpnc + if use cisco-decrypt ; then + dobin vpnc vpnc-disconnect pcf2vpnc cisco-decrypt + else + dobin vpnc vpnc-disconnect pcf2vpnc + fi dodoc ChangeLog README TODO VERSION
Created attachment 97692 [details, diff] Makes pcf2vpnc decode the password locally. This patch adds cisco-decode.c, and changes the Makefile so that it will be built (and would be installed if make install were executed).
Created attachment 97694 [details, diff] changes vpnc-0.3.3-r1.ebuild to make it use the last patch Modifies ${PORTDIR}/net-misc/vpnc/vpnc-0.3.3-r1.ebuild to use vpnc-0.3.3-cisco-decrypt.patch
applied upstream and using now svn snap.
