Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage in WSL? #469

Open
LuciusLan opened this issue Jan 25, 2025 · 7 comments
Open

Usage in WSL? #469

LuciusLan opened this issue Jan 25, 2025 · 7 comments

Comments

@LuciusLan
Copy link

Hi, first of all, thank you for your efforts in this project!
Okay I understand my usecase is very rare. I have a WIndows on ARM device, and the official GP client doesn't support Win on ARM. So I'm trying with WSL like when every time the Win on ARM stuck.
I use wslu for the virtual browser in the WSL which auto port forward to Chrome in my main system. With `sudo -E gpclient --fix-openssl connect --browser wslview ' I can proceed until the following screen: (which I can also see in other issues, but seems our case are not the same)

Image

But it hangs there.

F12 gives following error:
ACS:1 Failed to launch 'globalprotectcallback: *********' because the scheme does not have a registered handler.

So I guess it is attempting to launch GP in the main system (Windows) which doesn't exist. In this case, is there any way to perform the authentication on port-forwarded browser outside and send the callback back to WSL?

(I understand just install gnome in WSL can get rid of this trouble, but gnome is not an option for my outdated device)
@LuciusLan
Copy link
Author

LuciusLan commented Jan 25, 2025
edited
Loading

Update:
I noticed #463 and #431 , so I tried with their workaround, opening a new bash and
echo -n "globalprotectcallback:*******" | nc 127.0.0.1 40353

The CLI tool proceed to the following:

[2025-01-26T06:41:43Z INFO  gpclient::cli] gpclient started: 2.3.11 (2025-01-21)
[2025-01-26T06:41:43Z INFO  gpapi::portal::prelogin] Portal prelogin with user_agent: PAN GlobalProtect
[2025-01-26T06:41:43Z INFO  gpapi::portal::prelogin] Perform prelogin, user_agent: PAN GlobalProtect
[2025-01-26T06:41:44Z INFO  gpauth::cli] gpauth started: 2.3.11 (2025-01-21)
[2025-01-26T06:41:44Z INFO  gpauth::cli] Fixing OpenSSL environment
[2025-01-26T06:41:44Z INFO  gpapi::process::browser_authenticator] Launching browser: wslview
[2025-01-26T06:41:44Z INFO  gpauth::cli] Please continue the authentication process in the default browser
[2025-01-26T06:41:44Z INFO  gpauth::cli] Listening authentication data on port 40353
[2025-01-26T06:41:44Z INFO  gpauth::cli] If it hangs, please check the logs at `/tmp/gpcallback.log` for more information
[2025-01-26T06:41:53Z INFO  gpauth::cli] Received the browser authentication data from the socket
[2025-01-26T06:41:55Z INFO  gpauth::cli] Authentication completed
[2025-01-26T06:41:55Z INFO  gpapi::portal::config] Retrieve the portal config, user_agent: PAN GlobalProtect
[2025-01-26T06:41:55Z WARN  gpapi::portal::config] GP response error: reason=auth-failed, status=512 <unknown status code>, body=<empty>

The base64 string decodes to <html><!-- <saml-auth-status>1</saml-auth-status> so the authentication should have no problem I guess?

@yuezk
Copy link
Owner

yuezk commented Jan 26, 2025

The expected globalprotectcallback payload should have the cookie field. It could be a problem if its content is just <html><!-- <saml-auth-status>1</saml-auth-status>.

@LuciusLan
Copy link
Author

LuciusLan commented Jan 26, 2025
edited
Loading

The expected globalprotectcallback payload should have the cookie field. It could be a problem if its content is just <html><!-- <saml-auth-status>1</saml-auth-status>.

Sorry I didn't make it clear. The decoded content is:

<html><!-- <saml-auth-status>1</saml-auth-status><prelogin-cookie>2nryI3qnx/FZ04yT0FNs9xY0x8bQdd1gu8Rf2LuZur1JovrLncUsmJqST3xLvz13</prelogin-cookie><saml-username>EMAIL@ADDRESS</saml-username><saml-slo>yes</saml-slo><saml-SessionNotOnOrAfter></saml-SessionNotOnOrAfter> --></html>

@yuezk
Copy link
Owner

yuezk commented Jan 26, 2025

Try running it with the --as-gateway parameter, e.g., gpclient connect <portal> --as-gateway, see what happens.

@LuciusLan
Copy link
Author

LuciusLan commented Jan 26, 2025
edited
Loading

Ok it now gives a more detailed error msg:

[2025-01-26T10:35:59Z WARN gpapi::gateway::login] GP response error: reason=, status=512 , body=
var respStatus = "Error";
var respMsg = "Authentication failure: Invalid username or password";
thisForm.inputStr.value = "";

Error: Gateway login error:

Strange thing. My login go through a organization login with 2FA (Microsoft sharepoint one). The email address in the part of b64 string is correct.

@yuezk
Copy link
Owner

yuezk commented Jan 26, 2025

Looks not related to the --as-gateway parameter. Have you ever tried it on a Linux machine?

@LuciusLan
Copy link
Author

I just tried on a ec2 VM, port forward and open with a different browser, and it gives same error. I start to feel like this is a problem with my organization's auth service.

Thank you for your kind help anyway!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yuezk @LuciusLan