OpenConnect is the Open Source alternative for the proprietary Cisco AnyConnect client. Our company is using the Cisco AnyConnect client along with PIN protected RSA Software Tokens for the authentication.
Looks like a complicated solution if you don’t have your corporate Windows client around; there’s no Cisco AnyConnect client for Linux with RSA Software Token support and the RSA application itself it’s only for Windows.
Guess what? It is not complicated at all and does not require WINE or any other tool to run the Windows app. It does not require the broken Cisco AnyConnect client either.
Update 10th June 2014: New instructions for new RSA Token Converter 3.0.
Update 10th October 2014: RSA Token Converter no longer needed.
Install the required software to import the token and the OpenConnect client itself:
# yum -y install NetworkManager-openconnect stoken-cli stoken-gui
If you’re using RHEL or CentOS up to 6.3 please reboot your system as the bundled NetworkManager is not able to reload plugins through dbus; otherwise if you’re running Fedora or RHEL/CentOS 6.4 or later you can directly proceed.
Use stoken to import your token, choosing between the various options:
$ stoken import --token 2000123456... $ stoken import --token com.rsa.securid.iphone://ctf?ctfData=2000123456... $ stoken import --file mytoken.sdtid
Leave blank for the password request if you don’t want to password protect your token. Launch the command line program or the graphical program to get the passcode. The pin must be identical to the one you’ve set when first connecting to the VPN; otherwise the generated passcode will not match with the one generated on the VPN server:
$ stoken Enter PIN: 1234 32031342
Alternatively you can use the GTK based
Remove token PIN
To further speed up things; you can issue the following command to remove the pin request when opening the token (both command line and graphical):
$ stoken setpin Enter new PIN: 1234 Confirm new PIN: 1234 $ stoken 32031342
Create a new OpenConnect VPN through the VPN wizard of NetworkManager; the only required parameter is the server name.
If you have at least Fedora 20 or (probably) RHEL 7 with NetworkManager-openconnect 0.9.8 you can also paste the RSA Soft Token in the text box or use the Stoken file for passcode generation.
Upon connection, you will be asked your username and RSA passcode. If you have enabled Soft Token integration with the PIN saved in
~/.stokenrc you will be asked only the username.
Initiating the connection from the command line can be used as well. This method also enables you to avoid entering the PIN; offering the same functionality as NetworkManager-openconnect 9.8.0 on all Fedora releases and CentOS/RHEL 6:
sudo cp ~/.stokenrc /root sudo openconnect --token-mode=rsa vpn.example.com
Pretty easy, huh?
I’ve updated the Steam repository with Fedora 20 packages and removed Fedora 17 bits from the SPEC files since it has now gone EOL.
Fedora 19 and up now have SDL 2 in the main repositories; though the Steam client it’s shipping it’s own library that cannot be deleted or it will get downloaded again upon the client startup.
Enabling Cisco WebEx on a Fedora system is actually a lot easier than it looks by searching on Google. Pretty usual uh? Every time you look for something Linux related, a plethora of posts tell you that you need to compile, download, hack and modify.
This was probably true 10 years ago, but now setting up everything is much more easier than it sounds and usually involves a couple of settings and a couple of packages.
These are the steps required to setup Cisco WebEx on a Fedora 19 system; whether it be x86_64 or i686:
# yum install icedtea-web java-1.8.0-openjdk \ pangox-compat.i686 libXmu.i686 libgcj.i686 mesa-libEGL.i686 \ gtk2.i686 libpng2.i686 # setsebool -P unconfined_mozilla_plugin_transition=off mmap_low_allowed=on
The first packages are by good chance already installed on your system and should be the same of your system architecture; while the others need always to be the i686 variant as the WebEx program is compiled for 32 bit processors.
30th October 2013:
Updated information with additional packages for latest WebEX update.
8th January 2014:
As reported in the comments, due to recent Mesa updates, if you don’t have Mesa’s libEGL installed you have to add it. Added to the list of packages required for installation.
I was notified I can not use Fedora Koji builders for doing personal builds of Fedora forbidden items. This means I have to drop the following architectures from the repositories:
- CentOS/RHEL 5 – ppc
- CentOS/RHEL 5 – ppc64
- Fedora 20 – armv7hl
I don’t have any hardware (or access) to any system like those; so my only chance is to drop support for them. All those architectures are bound to disappear from the repositories with the next round of updates.
New version 3.01a17 has been released. Starting from this version packages are built with all architectures enabled; this means that Fedora 20 has inherited
armv7hl support and CentOS/RHEL 6 and CentOS/RHEL 5 have now respectively
Along with the update, all Fedora 17 packages have been removed now that the distribution has gone EOL.
Nvidia repository has finally received the armv7hl builds and patches for kernel 3.10. I’ve added a new table that depicts the supported functionalities by distribution.
|Operating system||el6 / el7||f24 / f25||f26 / f27|
|Driver branch||Long Lived||Short Lived|
|Basic nvidia driver:|
|CUDA libraries and tools:|
|OpenGL Framebuffer Capture:|
|32 bit compatibility on x86_64:|
Guacamole is an HTML5 remote desktop gateway. Guacamole provides access to desktop environments using remote desktop protocols like VNC and RDP. A centralized server acts as a tunnel and proxy, allowing access to multiple desktops through a web browser.
No browser plugins are needed, and no client software needs to be installed. The client requires nothing more than a web browser supporting HTML5 and AJAX.
More information at the Guacamole homepage.
There are two parts of which the Guacamole suite is made of; the native server components that should go on the system making the connections to the target machines and the client component (the web interface) that can reside on the same system of the server components or on a separate system.
The proxy required by the web application,
guacd, is part of
guacamole-server and built along with
libguac and all protocol support by the
guacamole-client must be installed for Guacamole to work. No software needs to be installed on any client machine.
RHEL/CentOS and Fedora package status
All Guacamole components are already available in the main Fedora repositories and can be easily installed without any additional repository.
RHEL/CentOS needs the EPEL repository to be enabled and only contain the server components as the full Maven stack required to build the web application is not available in Fedora. For this reason, installing on RHEL/CentOS requires you to put the war package in the appropriate folder on the system.
Supported disitribution summary:
- Proxy daemon (CentOS/RHEL 6 and Fedora)
- SSH plugin (CentOS/RHEL 6 and Fedora)
- RDP plugin with sound and printing support (CentOS/RHEL 6 and Fedora)
- VNC plugin (CentOS/RHEL 6) with VNC repeater support (Fedora)
- Web application (CentOS/RHEL 6 from the upstream provided war file, Fedora from the repositories)
All supported desktop protocols can be installed all together or separate from each other. Examples below assume you want to install all Guacamole software (client & server) on the same system with all the protocols available.
Installing the server components
This applies to both Fedora and CentOS/RHEL. Launch the following commands to install the server components; this will pull in all server components:
yum -y install guacd libguac-client-*
Do not forget to enable the services. On Fedora:
systemctl enable guacd
chkconfig guacd on
Installing the client components (web application)
In Fedora, launch the following commands to install the main Guacamole web application. This will pull in Tomcat and all the required Java dependencies:
yum -y install guacamole
Enable it at boot:
systemctl enable tomcat
And then configure it. In Fedora, all configuration files are stored in the
/etc/guacamole/ path. Just edit those files following the explanation in the configuring Guacamole manual section.
Launch the following commands to install Tomcat. This will pull in all the required Java dependencies:
yum -y install tomcat6
Enable it at boot:
chkconfig tomcat6 on
Then you need to download the main Guacamole web application archive from the Guacamole homepage. Place the downloaded war file in
/var/libt/tomcat6/webapps for Tomcat consumption.
mv guacamole-0.8.3.war /var/lib/tomcat6/webapps/guacamole.war
Then you need to find a place to put the configuration files according to the configuring Guacamole manual section. This can be time consuming and quite tricky until you get the configuration right; but after a while it’s very easy.
My personal preference would be to put the files
/etc/guacamole/ like in Fedora and make sure that the Tomcat service can find the files according to the manual. To do so; issue the following commands:
mkdir -p /etc/guacamole echo "export GUACAMOLE_HOME=/etc/guacamole" > /etc/profile.d/guacamole.sh echo "setenv GUACAMOLE_HOME /etc/guacamole" > /etc/profile.d/guacamole.csh chcon system_u:object_r:bin_t:s0 /etc/profile.d/guacamole.*
Once all it’s configured, running it it’s pretty simple. First of all, start all the services.
systemctl start guacd systemctl start tomcat
service guacd start service tomcat6 start
Then point your browser to the Tomcat deployed application. If you’ve not modified Tomcat default configuration the URL is:
Try to login; if you get an “Invalid user” error just look at the Tomcat logs. From my experience it’s usually a configuration problem.