Bug 1730027

Summary: [RFE] Provide Option to use PKCS11 hardware token (Yubikey) for authentication
Product: [Fedora] Fedora Reporter: Pat Riehecky <riehecky>
Component: NetworkManagerAssignee: Lubomir Rintel <lkundrak>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bgalvani, code, dcbw, dwmw2, fedoraproject, fgiudici, gnome-sig, john.j5live, joshua.kenward, lkundrak, mclasen, rdieter, rhughes, riehecky, rstrode, sandmann, thaller
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pat Riehecky 2019-07-15 15:47:18 UTC 
Description of problem:
The command line openconnect client permits using a hardware pkcs11 token.

It would be nice the GUI for NetworkManager permitted setting this as well.

My example use is with a Yubikey.

Version-Release number of selected component (if applicable):
NetworkManager-openconnect-1.2.4-11.fc30

How reproducible:
100%

Steps to Reproduce:
1.Try to configure NetworkManager-openconnect to use a hardware pkcs11 tokent
2.
3.

Actual results:
No way to set usage of a hardware token

Expected results:
Able to set hardware token.

Additional info:
openconnect -c 'pkcs11:manufacturer=piv_II' myvpn.example.com
Comment 1 David Woodhouse 2019-07-15 17:23:18 UTC 
NetworkManager-openconnect already works fine, if a PKCS#11 URI is given as the certificate/key. But last time I looked, you needed to set that manually by editing the config file — even nmcli didn't work right for using PKCS#11 URIs as keys, as it wrongly filtered for *filenames*.

Assigning to NetworkManager. Not sure of the current status but here are some older upstream bugs which are/were relevant, and I think nmcli has at least been fixed for 802.1x if not for all connection types:

https://bugzilla.gnome.org/show_bug.cgi?id=719982
https://bugzilla.gnome.org/show_bug.cgi?id=679860
Comment 2 David Woodhouse 2019-07-15 17:29:58 UTC 
It does seem to work with nmcli now, although it's slightly non-trivial as it's part of the 'vpn.data' field. You can see the current settings with 'nmcli con show MyVpn' then add the usercert field:

 nmcli con modify MyVpn vpn.data 'usercert = pkcs11:manufacturer=piv_II;id=%01, authtype = cert, gateway = xxxx:xxxx:xxxx:xxxx::1, protocol = pulse, cookie-flags = 2, certsigs-flags = 0, xmlconfig-flags = 0, stoken_source = disabled, prevent_invalid_cert = no, autoconnect-flags = 0, gateway-flags = 2, gwcert-flags = 2, pem_passphrase_fsid = no, enable_csd_trojan = no, lasthost-flags = 0'