Pulse Secure Linux client with openSUSE Leap 15.6 安裝小記

Pulse Secure Linux client with openSUSE Leap 15.6 安裝小記

OS: openSUSE Leap 15.6

Pulse Secure: 22

公司的 SSLVPN 用的是 Pulse Secure, 但是 openSUSE Leap 的參考文章相對少

今天就寫相關的安裝方式

取得套件 RPM from 公司同事

• 也可以參考臺大的網頁與取得 https://ccnet.ntu.edu.tw/vpn/for-ubuntu.html 

先嘗試安裝

# rpm  -ivh  ps-pulse-linux-22.7r3-b30227-installer.rpm 

error: Failed dependencies:

        gtkmm30 >= 3.22.2 is needed by pulsesecure-2:22.7-R3.x86_64

        libbsd is needed by pulsesecure-2:22.7-R3.x86_64

        libcurl >= 7.29.0 is needed by pulsesecure-2:22.7-R3.x86_64

        nss-tools is needed by pulsesecure-2:22.7-R3.x86_64

        webkit2gtk3 >= 2.24.4 is needed by pulsesecure-2:22.7-R3.x86_64

• 直接安裝會遇到相依性的問題

安裝 mozilla-nss-tools

# zypper  install  mozilla-nss-tools

Loading repository data...

Reading installed packages...

Resolving package dependencies...

The following 4 NEW packages are going to be installed:

  libfreebl3 libsoftokn3 mozilla-nss mozilla-nss-tools

4 new packages to install.

Overall download size: 2.1 MiB. Already cached: 0 B. After the operation, additional 5.4 MiB

will be used.

Backend:  classic_rpmtrans

Continue? [y/n/v/...? shows all options] (y):y

新增兩個 repo

# zypper   addrepo   https://download.opensuse.org/repositories/server:mail/openSUSE_Tumbleweed/server:mail.repo 

• 這個 repo 雖然有 15.6 但是他 15.5 沒有編譯過, 所以我還是維持 Tumbleweed

# zypper  addrepo  https://download.opensuse.org/repositories/devel:gcc:next/openSUSE_Tumbleweed/devel:gcc:next.repo 

• 這個 repo 就沒有 15.6 了

更新 repo, 並信任相關 Key

# zypper  refresh

安裝 glibc 套件

# zypper  install  glibc

Loading repository data...

Reading installed packages...

There is an update candidate for 'glibc' from vendor 'obs://build.opensuse.org/devel:gcc:next', while the current vendor is 'SUSE LLC <https://www.suse.com/>'. Use 'zypper install glibc-2.40.9000.164.gc9154cad6-4264.1.x86_64' to install this candidate.

Resolving package dependencies...

The following package is going to be upgraded:

  glibc

1 package to upgrade.

Overall download size: 1.9 MiB. Already cached: 0 B. No additional space will be used or freed after

the operation.

Backend:  classic_rpmtrans

Continue? [y/n/v/...? shows all options] (y): y

• 這次不像上一個版本有衝突

安裝 pulse secure 套件

# zypper  install  ps-pulse-linux-22.7r3-b30227-installer.rpm

Loading repository data...

Reading installed packages...

Resolving package dependencies...

Problem: 1: nothing provides 'libbsd' needed by the to be installed pulsesecure-2:22.7-R3.x86_64

 Solution 1: do not install pulsesecure-2:22.7-R3.x86_64

 Solution 2: break pulsesecure-2:22.7-R3.x86_64 by ignoring some of its dependencies

Choose from above solutions by number or cancel [1/2/c/d/?] (c):  2

Resolving dependencies...

Resolving package dependencies...

The following NEW package is going to be installed:

  pulsesecure

1 new package to install.

Overall download size: 11.8 MiB. Already cached: 0 B. After the operation, additional 33.9 MiB will

be used.

Backend:  classic_rpmtrans

Continue? [y/n/v/...? shows all options] (y): y

Retrieving: pulsesecure-2:22.7-R3.x86_64 (Plain RPM files cache)                 (1/1),  11.8 MiB    

ps-pulse-linux-22.7r3-b30227-installer.rpm:

    Package header is not signed!

pulsesecure-2:22.7-R3.x86_64 (Plain RPM files cache): Signature verification failed [6-File is unsigned]

Abort, retry, ignore? [a/r/i] (a): i

• 這邊使用方案 2 , 忽略相依性的方式來進行安裝, 並忽略簽章問題

PulseSecure UI 在 Leap 15.6 還要補一個套件

# zypper  install  libwebkit2gtk-4_0-37

• 因為預設的套件比較新

安裝完畢就可以找到圖形介面的程式

點選 新增的 + 按鈕

輸入 名稱與 Server URL

點選 Connect 就可以進行連線

同場加映, 文字介面連線方式

建立憑證存放資料夾

# mkdir  -p  /etc/pki/ca-trust/extracted/openssl

建立檔案

# touch  /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

使用 Brave 瀏覽器開啟之後要存取的網址, 例如 https://YOUR_SERVER_URL  

點選 鎖頭 -- > 點選 憑證有效的另開視窗

點選 詳細資訊

將 3 個憑證全部匯出

將憑證放入

# cat  /home/sakanamax/Builtin\ Object\ Token_TWCA\ Global\ Root\ CA  >  /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

# cat  /home/sakanamax/TWCA\ Secure\ SSL\ Certification\ Authority  >>  /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

# cat  /home/sakanamax/_.YOURS.com.tw  >>  /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

• 公司憑證名稱記得換成自己的

進行連線 - 要切換成一般使用者

> /opt/pulsesecure/bin/pulselauncher  -U  https://YOUR_SERVER_URL -u   YOUR_USER

• 實務上測試用一般使用者可以連線, root 無法連線

• 輸入User Realm:  (詢問網管, 也許是 RWXY Users)

• 輸入密碼

• 連線成功可能不一定有訊息, 可以另外開一個視窗用 > ip r s 看路由表確認

這樣之後就可以用 Pulse Secure 進行 SSLVPN 連線了

~ enjoy it

Reference

• https://ccnet.ntu.edu.tw/vpn/for-ubuntu.html

• 公司協力廠商協助, 同事協助